Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RIP_YOUR_PC_LOL.exe

Overview

General Information

Sample Name:RIP_YOUR_PC_LOL.exe
Analysis ID:585264
MD5:52867174362410d63215d78e708103ea
SHA1:7ae4e1048e4463a4201bdeaf224c5b6face681bf
SHA256:37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags:exe
Infos:

Detection

HawkEye Nanocore njRat AsyncRAT Azorult DCRat Ficker Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected MailPassView
Yara detected HawkEye Keylogger
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Azorult Info Stealer
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Yara detected Nanocore RAT
Yara detected DCRat
Yara detected Generic Dropper
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Yara detected Ficker Stealer
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: CurrentVersion Autorun Keys Modification
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Sigma detected: Suspicious Add Scheduled Task Parent
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Autorun Keys Modification

Classification

  • System is w10x64
  • RIP_YOUR_PC_LOL.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe" MD5: 52867174362410D63215D78E708103EA)
    • healastounding.exe (PID: 3572 cmdline: "C:\Users\user\AppData\Roaming\healastounding.exe" MD5: 6FB798F1090448CE26299C2B35ACF876)
      • test.exe (PID: 6236 cmdline: "C:\Users\user\AppData\Roaming\test.exe" MD5: 7E50B292982932190179245C60C0B59B)
      • gay.exe (PID: 1104 cmdline: "C:\Users\user\AppData\Roaming\gay.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
        • mediaget.exe (PID: 4688 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
          • netsh.exe (PID: 7092 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Opus.exe (PID: 3244 cmdline: "C:\Users\user\AppData\Roaming\Opus.exe" MD5: 759185EE3724D7563B709C888C696959)
        • schtasks.exe (PID: 6420 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7052 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • aaa.exe (PID: 3984 cmdline: "C:\Users\user\AppData\Roaming\aaa.exe" MD5: 860AA57FC3578F7037BB27FC79B2A62C)
        • aaa.exe (PID: 6256 cmdline: C:\Users\user\AppData\Roaming\aaa.exe MD5: 860AA57FC3578F7037BB27FC79B2A62C)
      • 8f1c8b40c7be588389a8d382040b23bb.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" MD5: 8F1C8B40C7BE588389A8D382040B23BB)
        • FFDvbcrdfqs.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" MD5: 78D40B12FFC837843FBF4DE2164002F6)
        • Dcvxaamev.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe" MD5: 870D6E5AEF6DEA98CED388CCE87BFBD4)