Edit tour
Windows
Analysis Report
VASkmEQ4iU.exe
Overview
General Information
Detection
Record Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Record Stealer
Snort IDS alert for network traffic
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to steal Crypto Currency Wallets
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Query firmware table information (likely to detect VMs)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Is looking for software installed on the system
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
PE file contains more sections than normal
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Entry point lies outside standard sections
Classification
- System is w10x64
- VASkmEQ4iU.exe (PID: 2432 cmdline:
"C:\Users\ user\Deskt op\VASkmEQ 4iU.exe" MD5: F9B340F49AB31913222C64D3EED70ED3)
- cleanup
{"C2 url": ["http://185.62.56.113/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
JoeSecurity_RecordStealer | Yara detected Record Stealer | Joe Security | ||
Click to see the 4 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.5185.62.56.11349758802036934 06/26/22-09:36:19.847678 |
SID: | 2036934 |
Source Port: | 49758 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 185.62.56.113192.168.2.580497582036955 06/26/22-09:36:19.915392 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49758 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.5185.62.56.11349758802036882 06/26/22-09:36:19.847678 |
SID: | 2036882 |
Source Port: | 49758 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |