Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2lKcKQUdN3.exe

Overview

General Information

Sample Name:2lKcKQUdN3.exe
Analysis ID:659500
MD5:6869e0af3920bd7284a136f88a5f788b
SHA1:a91d6aa2f77a7270218ddf867b2475ffadd688b2
SHA256:b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
Infos:

Detection

BlueBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected BlueBot
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Drops PE files to the startup folder
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)

Classification

Process Tree

  • System is w10x64
  • 2lKcKQUdN3.exe (PID: 1048 cmdline: "C:\Users\user\Desktop\2lKcKQUdN3.exe" MD5: 6869E0AF3920BD7284A136F88A5F788B)
  • cleanup

Malware Configuration

Threatname: BlueBot

{"C2 url": "http://jx2-bavuong.com/newbot/", "Thread Count": 300}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2lKcKQUdN3.exeJoeSecurity_BlueBotYara detected BlueBotJoe Security
    2lKcKQUdN3.exeMALWARE_Win_BlueBotDetects BlueBotditekSHen
    • 0x7480:$x1: Blue_Botnet
    • 0x8e27:$x3: *300-END-
    • 0x7100:$x4: botlogger.php
    • 0x4988:$s1: //TARGET//
    • 0x69d4:$s1: //TARGET//
    • 0x499e:$s2: //BLOG//
    • 0x6a46:$s2: //BLOG//
    • 0x6b0b:$s2: //BLOG//
    • 0x4a3e:$s3: MCBOTALPHA
    • 0x4bda:$s4: //IPLIST//
    • 0x6d9e:$s4: //IPLIST//
    • 0x6aff:$s5: Host: //BLOG//
    • 0x6c48:$s6: User-Agent: //USERAGENT//
    • 0x72b0:$s6: User-Agent: //USERAGENT//
    • 0x69c4:$s7: <string>//TARGET//</string>
    • 0x7258:$s8: POST //URL// HTTP/1.1/r/n
    • 0x4491:$v1: <attack>b__
    • 0x38f9:$v2: PressData
    • 0x3c39:$v3: POSTPiece
    • 0x393a:$v4: udpStuff
    • 0x394c:$v4: tcpStuff

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\drvhandler.exeJoeSecurity_BlueBotYara detected BlueBotJoe Security
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\drvhandler.exeMALWARE_Win_BlueBotDetects BlueBotditekSHen
      • 0x7480:$x1: Blue_Botnet
      • 0x8e27:$x3: *300-END-
      • 0x7100:$x4: botlogger.php
      • 0x4988:$s1: //TARGET//
      • 0x69d4:$s1: //TARGET//
      • 0x499e:$s2: //BLOG//
      • 0x6a46:$s2: //BLOG//
      • 0x6b0b:$s2: //BLOG//
      • 0x4a3e:$s3: MCBOTALPHA
      • 0x4bda:$s4: //IPLIST//
      • 0x6d9e:$s4: //IPLIST//
      • 0x6aff:$s5: Host: //BLOG//
      • 0x6c48:$s6: User-Agent: //USERAGENT//
      • 0x72b0:$s6: User-Agent: //USERAGENT//
      • 0x69c4:$s7: <string>//TARGET//</string>
      • 0x7258:$s8: POST //URL// HTTP/1.1/r/n
      • 0x4491:$v1: <attack>b__
      • 0x38f9:$v2: PressData
      • 0x3c39:$v3: POSTPiece
      • 0x393a:$v4: udpStuff
      • 0x394c:$v4: tcpStuff

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.500342481.0000000000D92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlueBotYara detected BlueBotJoe Security
        00000000.00000000.232002674.0000000000D92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlueBotYara detected BlueBotJoe Security
          00000000.00000002.501715129.00000000132F7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlueBotYara detected BlueBotJoe Security
            00000000.00000002.501517276.000000000330E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlueBotYara detected BlueBotJoe Security
              Process Memory Space: 2lKcKQUdN3.exe PID: 1048CobaltStrike_C2_Host_IndicatorDetects CobaltStrike C2 host artifactsyara@s3c.za.net
              • 0x79c87:$c2_indicator: #Host:
              • 0x8f797:$c2_indicator: #Host:
              • 0x10c263:$c2_indicator: #Host:
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.2lKcKQUdN3.exe.d90000.0.unpackJoeSecurity_BlueBotYara detected BlueBotJoe Security
                0.2.2lKcKQUdN3.exe.d90000.0.unpackMALWARE_Win_BlueBotDetects BlueBotditekSHen
                • 0x7480:$x1: Blue_Botnet
                • 0x7100:$x4: botlogger.php
                • 0x4988:$s1: //TARGET//
                • 0x69d4:$s1: //TARGET//
                • 0x499e:$s2: //BLOG//
                • 0x6a46:$s2: //BLOG//
                • 0x6b0b:$s2: //BLOG//
                • 0x4a3e:$s3: MCBOTALPHA
                • 0x4bda:$s4: //IPLIST//
                • 0x6d9e:$s4: //IPLIST//
                • 0x6aff:$s5: Host: //BLOG//
                • 0x6c48:$s6: User-Agent: //USERAGENT//
                • 0x72b0:$s6: User-Agent: //USERAGENT//
                • 0x69c4:$s7: <string>//TARGET//</string>
                • 0x7258:$s8: POST //URL// HTTP/1.1/r/n
                • 0x4491:$v1: <attack>b__
                • 0x38f9:$v2: PressData
                • 0x3c39:$v3: POSTPiece
                • 0x393a:$v4: udpStuff
                • 0x394c:$v4: tcpStuff
                • 0x3afd:$v4: loadStuff
                0.0.2lKcKQUdN3.exe.d90000.0.unpackJoeSecurity_BlueBotYara detected BlueBotJoe Security
                  0.0.2lKcKQUdN3.exe.d90000.0.unpackMALWARE_Win_BlueBotDetects BlueBotditekSHen
                  • 0x7480:$x1: Blue_Botnet
                  • 0x7100:$x4: botlogger.php
                  • 0x4988:$s1: //TARGET//
                  • 0x69d4:$s1: //TARGET//
                  • 0x499e:$s2: //BLOG//
                  • 0x6a46:$s2: //BLOG//
                  • 0x6b0b:$s2: //BLOG//
                  • 0x4a3e:$s3: MCBOTALPHA
                  • 0x4bda:$s4: //IPLIST//
                  • 0x6d9e:$s4: //IPLIST//
                  • 0x6aff:$s5: Host: //BLOG//
                  • 0x6c48:$s6: User-Agent: //USERAGENT//
                  • 0x72b0:$s6: User-Agent: //USERAGENT//
                  • 0x69c4:$s7: <string>//TARGET//</string>
                  • 0x7258:$s8: POST //URL// HTTP/1.1/r/n
                  • 0x4491:$v1: <attack>b__
                  • 0x38f9:$v2: PressData
                  • 0x3c39:$v3: POSTPiece
                  • 0x393a:$v4: udpStuff
                  • 0x394c:$v4: tcpStuff
                  • 0x3afd:$v4: loadStuff

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 2lKcKQUdN3.exeAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: 2lKcKQUdN3.exeVirustotal: Detection: 80%Perma Link
                  Source: 2lKcKQUdN3.exeMetadefender: Detection: 77%Perma Link
                  Source: 2lKcKQUdN3.exeReversingLabs: Detection: 88%
                  Antivirus detection for URL or domain
                  Source: http://jx2-bavuong.com/newbot/1Avira URL Cloud: Label: malware
                  Source: http://jx2-bavuong.com/newbot/proxyAvira URL Cloud: Label: malware
                  Source: http://jx2-bavuong.com/newbot/targetAvira URL Cloud: Label: malware
                  Source: http://jx2-bavuong.com/newbot/Avira URL Cloud: Label: malware
                  Source: http://jx2-bavuong.comAvira URL Cloud: Label: malware
                  Source: http://jx2-bavuong.com/newbot/blogAvira URL Cloud: Label: malware
                  Multi AV Scanner detection for domain / URL
                  Source: jx2-bavuong.comVirustotal: Detection: 5%Perma Link
                  Antivirus detection for dropped file
                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\drvhandler.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                  Multi AV Scanner detection for dropped file
                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\drvhandler.exeMetadefender: Detection: 77%Perma Link
                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\drvhandler.exeReversingLabs: Detection: 88%
                  Machine Learning detection for dropped file
                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\drvhandler.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 2lKcKQUdN3.exeJoe Sandbox ML: detected
                  Source: 0.0.2lKcKQUdN3.exe.d90000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 2lKcKQUdN3.exeMalware Configuration Extractor: BlueBot {"C2 url": "http://jx2-bavuong.com/newbot/", "Thread Count": 300}
                  Source: 2lKcKQUdN3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\2lKcKQUdN3.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                  Source: 2lKcKQUdN3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: c:\Users\huggye\Documents\Visual Studio 2013\Projects\Blue Botnet\Blue Botnet\obj\Debug\file.pdb source: 2lKcKQUdN3.exe, drvhandler.exe.0.dr
                  Source: Binary string: c:\Users\huggye\Documents\Visual Studio 2013\Projects\Blue Botnet\Blue Botnet\obj\Debug\file.pdbh source: 2lKcKQUdN3.exe, drvhandler.exe.0.dr

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://jx2-bavuong.com/newbot/
                  Source: global trafficHTTP traffic detected: GET /newbot/target HTTP/1.1Host: jx2-bavuong.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /newbot/1 HTTP/1.1Host: jx2-bavuong.com
                  Source: global trafficHTTP traffic detected: GET /newbot/1 HTTP/1.1Host: jx2-bavuong.com
                  Source: global trafficHTTP traffic detected: GET /newbot/1 HTTP/1.1Host: jx2-bavuong.com
                  Source: global trafficHTTP traffic detected: GET /newbot/1 HTTP/1.1Host: jx2-bavuong.com
                  Source: global trafficHTTP traffic detected: GET /newbot/1 HTTP/1.1Host: jx2-bavuong.com
                  Source: global trafficHTTP traffic detected: GET /newbot/1 HTTP/1.1Host: jx2-bavuong.com
                  Source: 2lKcKQUdN3.exe, drvhandler.exe.0.drString found in binary or memory: http://127.0.0.1/
                  Source: 2lKcKQUdN3.exe, 00000000.00000003.235636821.000000001BDC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                  Source: 2lKcKQUdN3.exe, 00000000.00000003.240953589.000000001BDD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
                  Source: 2lKcKQUdN3.exe, 00000000.00000003.235636821.000000001BDC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wp
                  Source: 2lKcKQUdN3.exe, 00000000.00000003.235636821.000000001BDC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.ww
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.502113848.000000001CFD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.501680897.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, 2lKcKQUdN3.exe, 00000000.00000002.501517276.000000000330E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jx2-bavuong.com
                  Source: 2lKcKQUdN3.exe, drvhandler.exe.0.drString found in binary or memory: http://jx2-bavuong.com/newbot/
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.501680897.00000000033D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jx2-bavuong.com/newbot/1
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.501680897.00000000033D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jx2-bavuong.com/newbot/blog
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.501517276.000000000330E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jx2-bavuong.com/newbot/proxy
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.501680897.00000000033D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jx2-bavuong.com/newbot/target
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.501680897.00000000033D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jx2-bavuong.com0?
                  Source: 2lKcKQUdN3.exe, 00000000.00000002.502113848.000000001CFD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 2lKcKQUdN3.exe, 00000000.00000003.240176335.000000001BDD4000.00000004.00000020.00020000.00000000.sdmp, 2lKcKQUdN3.exe, 00000000.00000003.240297133.000000001BDCD000.00000004.00000020.00020000.00000000.sdmp, 2lKcKQUdN3.exe, 00