Edit tour
Windows
Analysis Report
RIP_YOUR_PC_LOL.exe
Overview
General Information
| Sample Name: | RIP_YOUR_PC_LOL.exe |
| Analysis ID: | 585264 |
| MD5: | 52867174362410d63215d78e708103ea |
| SHA1: | 7ae4e1048e4463a4201bdeaf224c5b6face681bf |
| SHA256: | 37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a |
| Tags: | exe |
| Infos: |   |
 | |
Detection
HawkEye Nanocore njRat AsyncRAT Azorult DCRat Ficker Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected MailPassView
Yara detected HawkEye Keylogger
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Azorult Info Stealer
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Yara detected Nanocore RAT
Yara detected DCRat
Yara detected Generic Dropper
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Yara detected Ficker Stealer
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: CurrentVersion Autorun Keys Modification
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Sigma detected: Suspicious Add Scheduled Task Parent
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Autorun Keys Modification
Classification
- System is w10x64
RIP_YOUR_PC_LOL.exe (PID: 6880 cmdline: "C:\Users\ user\Deskt op\RIP_YOU R_PC_LOL.e xe" MD5: 52867174362410D63215D78E708103EA) - healastounding.exe (PID: 3572 cmdline:
"C:\Users\ user\AppDa ta\Roaming \healastou nding.exe" MD5: 6FB798F1090448CE26299C2B35ACF876) - test.exe (PID: 6236 cmdline:
"C:\Users\ user\AppDa ta\Roaming \test.exe" MD5: 7E50B292982932190179245C60C0B59B) - gay.exe (PID: 1104 cmdline:
"C:\Users\ user\AppDa ta\Roaming \gay.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3) - mediaget.exe (PID: 4688 cmdline:
"C:\Users\ user\AppDa ta\Roaming \mediaget. exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3) - netsh.exe (PID: 7092 cmdline:
netsh fire wall add a llowedprog ram "C:\Us ers\user\A ppData\Roa ming\media get.exe" " mediaget.e xe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) 
conhost.exe (PID: 4104 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Opus.exe (PID: 3244 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Opus.exe" MD5: 759185EE3724D7563B709C888C696959) - schtasks.exe (PID: 6420 cmdline:
schtasks.e xe" /creat e /f /tn " DHCP Monit or" /xml " C:\Users\u ser\AppDat a\Local\Te mp\tmp4896 .tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 3280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 7052 cmdline:
schtasks.e xe" /creat e /f /tn " DHCP Monit or Task" / xml "C:\Us ers\user\A ppData\Loc al\Temp\tm p5D87.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 4564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - aaa.exe (PID: 3984 cmdline:
"C:\Users\ user\AppDa ta\Roaming \aaa.exe" MD5: 860AA57FC3578F7037BB27FC79B2A62C) - aaa.exe (PID: 6256 cmdline:
C:\Users\u ser\AppDat a\Roaming\ aaa.exe MD5: 860AA57FC3578F7037BB27FC79B2A62C) - 8f1c8b40c7be588389a8d382040b23bb.exe (PID: 5376 cmdline:
"C:\Users\ user\AppDa ta\Roaming \8f1c8b40c 7be588389a 8d382040b2 3bb.exe" MD5: 8F1C8B40C7BE588389A8D382040B23BB) - FFDvbcrdfqs.exe (PID: 6920 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\FFDvbc rdfqs.exe" MD5: 78D40B12FFC837843FBF4DE2164002F6) - Dcvxaamev.exe (PID: 6612 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Dcvxaa mev.exe" MD5: 870D6E5AEF6DEA98CED388CCE87BFBD4)