Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dinhVFAbgo

Overview

General Information

Sample Name:dinhVFAbgo (renamed file extension from none to exe)
Analysis ID:626617
MD5:de3eafb5fa64237cb2d54949c432f19c
SHA1:bbb3d8d70e1416241b469c3f58596986957ac39d
SHA256:93d2edbc498f6f8689223bcb079143a97627efe9c1f7b23687a94a1eaf223d78
Tags:32exe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • dinhVFAbgo.exe (PID: 6440 cmdline: "C:\Users\user\Desktop\dinhVFAbgo.exe" MD5: DE3EAFB5FA64237CB2D54949C432F19C)
    • cmd.exe (PID: 6460 cmdline: C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: dinhVFAbgo.exeVirustotal: Detection: 10%Perma Link
Source: dinhVFAbgo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: dinhVFAbgo.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CAC295 __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen,0_2_00CAC295
Source: global trafficTCP traffic: 192.168.2.3:49735 -> 59.110.190.41:80
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dat
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.dat
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dat
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps:
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dat
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini
Source: dinhVFAbgo.exeString found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqp
Source: unknownDNS traffic detected: queries for: wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CA79A0 recv,0_2_00CA79A0
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00D09483 __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_00D09483
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CB3981 GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00CB3981
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CCBE54 SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,MessageBeep,0_2_00CCBE54
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00D2428E GetKeyboardState,GetKeyboardLayout,MapVirtualKeyA,ToAsciiEx,LoadAcceleratorsW,LoadAcceleratorsW,0_2_00D2428E
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00D7A59D __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00D7A59D
Source: dinhVFAbgo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CB406F0_2_00CB406F
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00DE406E0_2_00DE406E
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00DE42A00_2_00DE42A0
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00DE44D20_2_00DE44D2
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00DE8A9A0_2_00DE8A9A
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00DEAA000_2_00DEAA00
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00DE0D400_2_00DE0D40
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00E0303E0_2_00E0303E
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00D0D1DF0_2_00D0D1DF
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CD313E0_2_00CD313E
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00E0532A0_2_00E0532A
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00E013170_2_00E01317
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00E0544A0_2_00E0544A
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: String function: 00DDD55F appears 124 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: String function: 00DDD52C appears 296 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: String function: 00CA6953 appears 34 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: String function: 00DDCEDD appears 65 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: String function: 00DDD690 appears 66 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: String function: 00CACA43 appears 44 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CA6BF1: DeviceIoControl,0_2_00CA6BF1
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,0_2_00CA6AF3
Source: dinhVFAbgo.exeVirustotal: Detection: 10%
Source: dinhVFAbgo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dinhVFAbgo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\dinhVFAbgo.exe "C:\Users\user\Desktop\dinhVFAbgo.exe"
Source: C:\Users\user\Desktop\dinhVFAbgo.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dinhVFAbgo.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-HelperJump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
Source: classification engineClassification label: mal56.evad.winEXE@4/0@6/1
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CA5D23 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00CA5D23
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,0_2_00CA6AF3
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: GetFullPathNameA,OpenSCManagerA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyExA,RegSetValueExA,RegFlushKey,RegCloseKey,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey,0_2_00CA8C59
Source: C:\Users\user\Desktop\dinhVFAbgo.exeFile read: C:\DownLoad-Helper\Update.iniJump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,0_2_00CA6AF3
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CA863A CreateToolhelp32Snapshot,Thread32First,CloseHandle,CloseHandle,OpenThread,OpenProcess,GetMappedFileNameA,TerminateThread,CloseHandle,CloseHandle,Thread32Next,CloseHandle,GetLastError,CloseHandle,SetLastError,CloseHandle,0_2_00CA863A
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Users\user\Desktop\dinhVFAbgo.exeMutant created: \Sessions\1\BaseNamedObjects\services.exe
Source: C:\Users\user\Desktop\dinhVFAbgo.exeCode function: 0_2_00CB2712 FindResourceA,LoadResource,LockResource,0_2_00CB2712
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\services.exe
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.sys
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_Defender.dat
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_Defender.sys
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.dat
Source: dinhVFAbgo.exeString found in binary or memory: md C:\DownLoad-Helper
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\servicesDecode.exe
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\svchost.dat
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\svchost.exe
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\svchost.exe
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\svchost.dat
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper
Source: dinhVFAbgo.exeString found in binary or memory: Cannot get trigger collection: %xTrigger1C:\DownLoad-Helper\svchost.exeC:\DownLoad-Helper\svchost.dat: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set
Source: dinhVFAbgo.exeString found in binary or memory: iostream stream error/NOC:\DownLoad-Helper\Agent.exeContent-Length\Update.inihttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe\Updater.ini\x64_FsFilter.dat\x64_Defender.datwbx64_FsFilter.datx64_Defender.datMicrosoft Windows 7C:\DownLoad - Helper\x64_Defender.datC:\DownLoad - Helper\x64_FsFilter.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.datmainverMAINVERUpdate.iniUpdater.iniopen\\.\x64_DefenderLinksWindows
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\services.exe
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\services.exeiniurlINIURLrestartRESTARTYESGetNativeSystemInfokernel32unknown OperatingSystem.Microsoft Windows NT 4.0Microsoft Windows 95Microsoft Windows 98Microsoft Windows MeMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows XP Professional x64 EditionMicrosoft Windows Server 2003Microsoft Windows Server 2003 R2Microsoft Windows VistaMicrosoft Windows Server 2008Microsoft Windows Server 2008 R2NetPCI%s
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_Defender.sys
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_Defender.dat
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.sys
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.dat
Source: dinhVFAbgo.exeString found in binary or memory: u@CC:\DownLoad-Helper\x64_Defender.sysx64_DefenderC:\DownLoad-Helper\x64_Defender.datC:\DownLoad-Helper\x64_FsFilter.sysFsFilterC:\DownLoad-Helper\x64_FsFilter.dat370030InitializeLoadDriver_NewVersion64360rp.exe360tray.exe360sd.exeZhuDongFangYu.exeQQPCRTP.exeQQPCTray.exekxetray.exekwsprotect64.exeG2345SafeTray.exe2345SafeSvc.exe360Tray.exeknewvip.exekxescore.exekxecenter.exekxemain.exeHipsTray.exeHipsDaemon.exe2345MPCSafe.exeLenovoPcManagerService.exeLAVService.exeLenovoTray.exe360{C3C4746B-4B9D-4694-90A0-3323295ED085}360Safe.exe
Source: dinhVFAbgo.exeString found in binary or memory: md C:\DownLoad-Helper
Source: dinhVFAbgo.exeString found in binary or memory: C:\DownLoad-Helper\servicesDecode.exe
Source: dinhVFAbgo.exeString found in binary or memory: Q360SafeMainClass360safemonpro.tpiservices.exemd C:\DownLoad-HelperKERNEL32.dllWinExeccmd /c ren C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\sonfig Bincmd /c rmdir /s /q C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\Bincmd /c del C:\jc.txtC:\DownLoad-Helper\servicesDecode.exe.ACPntdllZwQueryInformationThread
Source: C:\Users\user\Desktop\dinhVFAbgo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: dinhVFAbgo.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: dinhVFAbgo.exeStatic file information: File size 2117120 > 1048576
Source: dinhVFAbgo.exeStatic PE information: Raw size of .text is