Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cANdLlHS4N

Overview

General Information

Sample Name:cANdLlHS4N (renamed file extension from none to exe)
Analysis ID:586425
MD5:b3139b26a2dabb9b6e728884d8fa8b33
SHA1:de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
SHA256:5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Submitted sample is a known malware sample
Writes to foreign memory regions
Contains functionality to start reverse TCP shell (cmd.exe)
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Detected non-DNS traffic on DNS port
Queries keyboard layouts
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to detect sandboxes (mouse cursor move detection)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • cANdLlHS4N.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\cANdLlHS4N.exe" MD5: B3139B26A2DABB9B6E728884D8FA8B33)
    • obedience.exe (PID: 488 cmdline: C:\Users\user\AppData\Local\Temp\obedience.exe MD5: 6A1C14D5F16A07BEF55943134FE618C0)
      • iexplore.exe (PID: 5844 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • obedience.exe (PID: 5080 cmdline: "C:\Users\user\AppData\Local\Temp\obedience.exe" MD5: 6A1C14D5F16A07BEF55943134FE618C0)
    • iexplore.exe (PID: 244 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
cANdLlHS4N.exeDropper_DeploysMalwareViaSideLoadingDetect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugXUSG
  • 0x135bf2:$UniqueString: 2E 6C 6E 6B 00 00 5C 00 00 00 61 76 70 75 69 2E 65 78 65
  • 0x30f9:$PsuedoRandomStringGenerator: B9 1A 00 00 00 F7 F9 46 80 C2 41 88 54 35 8B 83 FE 64
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\handkerchief.datREDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchiefDetect obfuscated .dat file containing shellcode and core REDLEAVES RATUSG
  • 0x38a81:$RedleavesStringObfu: 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D
C:\Users\user\AppData\Local\Temp\handkerchief.datSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x14c7:$xo1: Osrh;kit|izv;xzuuto;y~;inu;ru;_TH;vt\x7F~
C:\Users\user\AppData\Local\Temp\StarBurn.dllREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x11d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
C:\Users\user\AppData\Local\Temp\StarBurn.dllOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x17d3c:$s4: SOFTWARE\EGGORG
SourceRuleDescriptionAuthorStrings
00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmpREDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchiefDetect obfuscated .dat file containing shellcode and core REDLEAVES RATUSG
  • 0x38a81:$RedleavesStringObfu: 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D
00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x14c7:$xo1: Osrh;kit|izv;xzuuto;y~;inu;ru;_TH;vt\x7F~
00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmpREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0xdd0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmpREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0xdd0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6c46:$xo1: 6\x0A\x0B\x11B\x12\x10\x0D\x05\x10\x03\x0FB\x01\x03\x0C\x0C\x0D\x16B\x07B\x10\x17\x0CB\x0B\x0CB&-1B\x0F\x0D\x06\x07
  • 0x28ccf:$xo1: Mqpj9ikv~kxt9zxwwvm9{|9klw9pw9]VJ9tv}|
Click to see the 37 entries
SourceRuleDescriptionAuthorStrings
0.2.cANdLlHS4N.exe.ca8bf8.1.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x5d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
0.2.cANdLlHS4N.exe.ca8bf8.1.unpackOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x16b3c:$s4: SOFTWARE\EGGORG
0.2.cANdLlHS4N.exe.26e0000.2.raw.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x11d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
0.2.cANdLlHS4N.exe.26e0000.2.raw.unpackOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x17d3c:$s4: SOFTWARE\EGGORG
0.2.cANdLlHS4N.exe.26e0000.2.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x5d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
Click to see the 11 entries

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\AppData\Local\Temp\obedience.exe, CommandLine: C:\Users\user\AppData\Local\Temp\obedience.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\obedience.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\obedience.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\obedience.exe, ParentCommandLine: "C:\Users\user\Desktop\cANdLlHS4N.exe" , ParentImage: C:\Users\user\Desktop\cANdLlHS4N.exe, ParentProcessId: 6048, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\obedience.exe, ProcessId: 488

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: cANdLlHS4N.exeVirustotal: Detection: 77%Perma Link
Source: cANdLlHS4N.exeMetadefender: Detection: 64%Perma Link
Source: cANdLlHS4N.exeReversingLabs: Detection: 84%
Source: cANdLlHS4N.exeAvira: detected
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dllAvira: detection malicious, Label: HEUR/AGEN.1226539