Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6LTym8YhUJ.exe

Overview

General Information

Sample Name:6LTym8YhUJ.exe
Analysis ID:654950
MD5:1b35d7b6c5252ef4cca1d703c4134f6f
SHA1:38344e5a27ed51c6e4e335573478ad3b6f8a7767
SHA256:07a029536d442a18485d88a48362cd84a184a6e54695496b1462b7f6d9a2c2c1
Tags:exeSocelars
Infos:

Detection

Socelars
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected Socelars
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Enables driver privileges
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Enables security privileges
Found large amount of non-executed APIs

Classification

  • System is w10x64
  • 6LTym8YhUJ.exe (PID: 2572 cmdline: "C:\Users\user\Desktop\6LTym8YhUJ.exe" MD5: 1B35D7B6C5252EF4CCA1D703C4134F6F)
    • WerFault.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1912 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"C2 url": "http://ngdatas.pw/"}
SourceRuleDescriptionAuthorStrings
6LTym8YhUJ.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    6LTym8YhUJ.exeJoeSecurity_SocelarsYara detected SocelarsJoe Security
      6LTym8YhUJ.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x143340:$s1: CoGetObject
      • 0x144414:$s2: Elevation:Administrator!new:
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.271855497.0000000001126000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000000.270071748.0000000001126000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000000.00000000.256990699.0000000001126000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000002.341402733.00000000010FA000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SocelarsYara detected SocelarsJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                0.2.6LTym8YhUJ.exe.fe0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  0.2.6LTym8YhUJ.exe.fe0000.0.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                    0.2.6LTym8YhUJ.exe.fe0000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x144558:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x1445a8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x143340:$s1: CoGetObject
                    • 0x144414:$s2: Elevation:Administrator!new:
                    0.0.6LTym8YhUJ.exe.fe0000.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.0.6LTym8YhUJ.exe.fe0000.2.unpackJoeSecurity_SocelarsYara detected SocelarsJoe Security
                        Click to see the 7 entries
                        No Sigma rule has matched
                        No Snort rule has matched

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: 6LTym8YhUJ.exeReversingLabs: Detection: 84%
                        Source: 6LTym8YhUJ.exeAvira: detected
                        Source: 6LTym8YhUJ.exeAvira: detected
                        Source: http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIPURL Reputation: Label: malware
                        Source: 6LTym8YhUJ.exeJoe Sandbox ML: detected
                        Source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpackAvira: Label: JS/SpyBanker.G2
                        Source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpackAvira: Label: JS/SpyBanker.G2
                        Source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpackAvira: Label: JS/SpyBanker.G2
                        Source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpackAvira: Label: JS/SpyBanker.G2
                        Source: 6LTym8YhUJ.exeMalware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}

                        Exploits

                        barindex
                        Source: Yara matchFile source: 6LTym8YhUJ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.6LTym8YhUJ.exe.fe0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.6LTym8YhUJ.exe.fe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.6LTym8YhUJ.exe.fe0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.271855497.0000000001126000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.270071748.0000000001126000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.341424352.0000000001126000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.256990699.0000000001126000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6LTym8YhUJ.exe PID: 2572, type: MEMORYSTR
                        Source: 6LTym8YhUJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.4:49755 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.4:49759 version: TLS 1.2
                        Source: 6LTym8YhUJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Source: C:\Users\user\Desktop\6LTym8YhUJ.exeDNS query: name: iplogger.org
                        Source: Malware configuration extractorURLs: http://ngdatas.pw/
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                        Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.icodeps.comCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /1DnXg7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
                        Source: 6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.266848446.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: 6LTym8YhUJ.exeString found in binary or memory: http://ngdatas.pw/
                        Source: 6LTym8YhUJ.exeString found in binary or memory: http://ngdatas.pw/https://www.icodeps.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
                        Source: 6LTym8YhUJ.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
                        Source: 6LTym8YhUJ.exeString found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
                        Source: 6LTym8YhUJ.exeString found in binary or memory: http://www.mkpmc.com
                        Source: 6LTym8YhUJ.exeString found in binary or memory: http://www.mkpmc.com/Home/Index/getdata
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://htyjh.s3.ap-south-1.amazonaws.com/613fdh2
                        Source: 6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/12QMs7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/12TMs7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/143up7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/14Jup7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/169Bx7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1746b7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1756b7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/19iM77
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1BBCf7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1CDGu7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1CUGu7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Cr3a7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1DEXg7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1DQXg7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Dk7g7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Dm7g7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Dn7g7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1DnXg7
                        Source: 6LTym8YhUJ.exe, 00000000.00000000.270818657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000002.340951721.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 6LTym8YhUJ.exe, 00000000.00000003.267639324.00000000005CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1DnXg7k_
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Dv7g7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1E2ma7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1ELna7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1G7Sc7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1GWfv7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1GaLz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Gbzj7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Gczj7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Ghzj7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1GiLz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Gjzj7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1H3Fa7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1HQGc7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1HWGc7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1J2q67
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1J9q67
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1JD967
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Jeq67
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1LvRk7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1N3J25
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1NaYz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1NpYz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1NsYz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1NuYz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1NyYz7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Pdet7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1RWXp7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1SWks7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Smzs7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Sxzs7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1TBch7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1TCch7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1TW3i7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1TXch7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1Tkij7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1VPXi7
                        Source: 6LTym8YhUJ.exeString found in binary or memory: https://iplogger.org/1XJq97
                        Source: