Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CpLGtq4jBl.exe

Overview

General Information

Sample Name:CpLGtq4jBl.exe
Analysis ID:659597
MD5:9d3f96bb981b1297d55cc96abf5fb44f
SHA1:3d8f20d004a5095542c952722c2fdb734ea621df
SHA256:d9536057855ddfa0656463b11191f1fd1a34f95032c676f7d3afc7cd5372068b
Infos:

Detection

Predator
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected Predator
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
Yara detected Generic Downloader
Machine Learning detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Moves itself to temp directory
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • CpLGtq4jBl.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\CpLGtq4jBl.exe" MD5: 9D3F96BB981B1297D55CC96ABF5FB44F)
    • Zip.exe (PID: 6284 cmdline: "C:\Users\user\AppData\Local\Temp\Zip.exe" MD5: AF07E88EC22CC90CEBFDA29517F101B9)
  • update_220811.exe (PID: 4940 cmdline: "C:\Users\user\AppData\Local\Temp\update_220811.exe" / start MD5: 9D3F96BB981B1297D55CC96ABF5FB44F)
  • update_220811.exe (PID: 6516 cmdline: "C:\Users\user\AppData\Local\Temp\update_220811.exe" / start MD5: 9D3F96BB981B1297D55CC96ABF5FB44F)
  • cleanup
{"C2 url": "http://big009.xyz/1/webpanel"}
SourceRuleDescriptionAuthorStrings
CpLGtq4jBl.exeJoeSecurity_PredatorYara detected PredatorJoe Security
    CpLGtq4jBl.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      CpLGtq4jBl.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        CpLGtq4jBl.exeINDICATOR_SUSPICIOUS_EXE_References_VPNDetects executables referencing many VPN software clients. Observed in infosteslersditekSHen
        • 0x7d546:$s1: \Vpn\NordVPN
        • 0x80cb0:$s2: \VPN\OpenVPN
        • 0x80d1e:$s3: \VPN\ProtonVPN
        SourceRuleDescriptionAuthorStrings
        00000000.00000002.520183809.0000000000142000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
          00000000.00000002.520183809.0000000000142000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000F.00000000.320390893.0000000000D02000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
              0000000F.00000000.320390893.0000000000D02000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0000000B.00000000.302609326.0000000000202000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
                  Click to see the 19 entries
                  SourceRuleDescriptionAuthorStrings
                  15.0.update_220811.exe.d65ae8.1.raw.unpackJoeSecurity_PredatorYara detected PredatorJoe Security
                    15.0.update_220811.exe.d65ae8.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      15.0.update_220811.exe.d65ae8.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        15.0.update_220811.exe.d65ae8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_References_VPNDetects executables referencing many VPN software clients. Observed in infosteslersditekSHen
                        • 0x1965e:$s1: \Vpn\NordVPN
                        • 0x1cdc8:$s2: \VPN\OpenVPN
                        • 0x1ce36:$s3: \VPN\ProtonVPN
                        11.2.update_220811.exe.265ae8.1.raw.unpackJoeSecurity_PredatorYara detected PredatorJoe Security
                          Click to see the 84 entries
                          No Sigma rule has matched
                          Timestamp:192.168.2.4188.114.96.349781802022818 07/08/22-11:55:12.849427
                          SID:2022818
                          Source Port:49781
                          Destination Port:80
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:192.168.2.4188.114.96.349784802022818 07/08/22-11:55:21.683286
                          SID:2022818
                          Source Port:49784
                          Destination Port:80
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:192.168.2.4188.114.96.349786802022818 07/08/22-11:55:31.253597
                          SID:2022818
                          Source Port:49786
                          Destination Port:80
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:192.168.2.4188.114.96.349763802022818 07/08/22-11:55:07.071148
                          SID:2022818
                          Source Port:49763
                          Destination Port:80
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Source: CpLGtq4jBl.exeVirustotal: Detection: 76%Perma Link
                          Source: CpLGtq4jBl.exeMetadefender: Detection: 45%Perma Link
                          Source: CpLGtq4jBl.exeReversingLabs: Detection: 84%
                          Source: CpLGtq4jBl.exeAvira: detected
                          Source: http://big009.xyzAvira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanelAvira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanel/gate.php?hwid=CH5E1CC6F3C2Avira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanel/gate.php?hwid=CH5E1CC6F3C28Avira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanel/logs.php?hwid=CH5E1CC6F3C2&Passwords=0&CreditCards=0&Cookies=1&AutoFill=0&Wallets=0Avira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanel/logs.php?hwid=CH5E1CC6F3C2&Passwords=0&CreditCards=0&Cookies=1&AutoFillAvira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanel/task.php?hwid=CH5E1CC6F3C28Avira URL Cloud: Label: malware
                          Source: http://big009.xyz/1/webpanel/task.php?hwid=CH5E1CC6F3C2Avira URL Cloud: Label: malware
                          Source: Yara matchFile source: CpLGtq4jBl.exe, type: SAMPLE
                          Source: Yara matchFile source: 15.0.update_220811.exe.d65ae8.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.update_220811.exe.265ae8.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.update_220811.exe.d65ae8.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.0.update_220811.exe.265ae8.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.CpLGtq4jBl.exe.140000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.update_220811.exe.200000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.CpLGtq4jBl.exe.1a5ae8.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.CpLGtq4jBl.exe.1a5ae8.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.CpLGtq4jBl.exe.140000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.CpLGtq4jBl.exe.142203.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.update_220811.exe.d02203.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.update_220811.exe.d00000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.0.update_220811.exe.d00000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.0.update_220811.exe.202203.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.0.update_220811.exe.200000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.CpLGtq4jBl.exe.142203.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.0.update_220811.exe.d02203.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.update_220811.exe.202203.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.update_220811.exe.131b1c98.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.update_220811.exe.1262ddb0.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 15.2.update_220811.exe.1314ddb0.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.update_220811.exe.12691c98.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.520183809.0000000000142000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000000.320390893.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000000.302609326.0000000000202000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.248487769.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.523242863.0000000002331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.329858097.0000000000202000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.341560080.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000F.00000002.345545908.000000001314D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.335837148.000000001262D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: CpLGtq4jBl.exe PID: 6080, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: update_220811.exe PID: 4940, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: update_220811.exe PID: 6516, type: MEMORYSTR
                          Source: C:\Users\user\AppData\Local\Temp\Zip.exeMetadefender: Detection: 20%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\Zip.exeReversingLabs: Detection: 65%
                          Source: CpLGtq4jBl.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\Zip.exeJoe Sandbox ML: detected
                          Source: 15.0.update_220811.exe.d00000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 11.0.update_220811.exe.200000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 0.0.CpLGtq4jBl.exe.140000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: CpLGtq4jBl.exeMalware Configuration Extractor: Predator {"C2 url": "http://big009.xyz/1/webpanel"}

                          Compliance

                          barindex
                          Source: C:\Users\user\Desktop\CpLGtq4jBl.exeUnpacked PE file: 0.2.CpLGtq4jBl.exe.140000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\update_220811.exeUnpacked PE file: 11.2.update_220811.exe.200000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\update_220811.exeUnpacked PE file: 15.2.update_220811.exe.d00000.0.unpack
                          Source: CpLGtq4jBl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: CpLGtq4jBl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: System.Windows.Forms.pdb source: CpLGtq4jBl.exe, 00000000.00000002.527871044.000000001B404000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: CpLGtq4jBl.exe, Zip.exe.0.dr
                          Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: CpLGtq4jBl.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.dr
                          Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: CpLGtq4jBl.exe

                          Networking