Windows Analysis Report
Rd1Kf1A4cB.bin

Overview

General Information

Sample Name: Rd1Kf1A4cB.bin (renamed file extension from bin to exe)
Analysis ID: 660113
MD5: 0ad89e86b34a226ff2a3042103afc7f1
SHA1: 91a27477c847ebf9ef3e2cb34e0bc93e323f449d
SHA256: f831d088c3a64b06843d970337f1c8877c9c1988d56720a7dee9d67efeaf78f0
Tags: exezitmo
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
May initialize a security null descriptor
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to enumerate network shares
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Rd1Kf1A4cB.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Rd1Kf1A4cB.exe Virustotal: Detection: 78% Perma Link
Source: Rd1Kf1A4cB.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: Rd1Kf1A4cB.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack Avira: Label: TR/Spy.Gen
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00411780 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00411780

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Unpacked PE file: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack
Uses 32bit PE files
Source: Rd1Kf1A4cB.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00405838 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_00405838
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00415B2D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_00415B2D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00415BE8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_00415BE8
Source: Rd1Kf1A4cB.exe, Rd1Kf1A4cB.exe, 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google.com/webhp
Source: Rd1Kf1A4cB.exe, 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google.com/webhpbcsocksGlobal
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040CC5C InternetReadFile, 0_2_0040CC5C
Creates a DirectInput object (often for capturing keystrokes)
Source: Rd1Kf1A4cB.exe, 00000000.00000002.260413898.000000000077A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040BB78 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 0_2_0040BB78
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040BCEA GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, 0_2_0040BCEA
Uses 32bit PE files
Source: Rd1Kf1A4cB.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040F964 InitiateSystemShutdownExW,ExitWindowsEx, 0_2_0040F964
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00404191 ExitWindowsEx, 0_2_00404191
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00404392 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,OpenMutexW,GetFileAttributesExW,ReadProcessMemory,CloseHandle,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00404392
Detected potential crypto function
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0041168D 0_2_0041168D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00412FBB 0_2_00412FBB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00411D38 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_00411D38
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00404984 NtQueryInformationProcess,CloseHandle,NtCreateThread, 0_2_00404984
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00404A40 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle, 0_2_00404A40
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_004063F7 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore, 0_2_004063F7
Source: Rd1Kf1A4cB.exe Virustotal: Detection: 78%
Source: Rd1Kf1A4cB.exe ReversingLabs: Detection: 96%
Source: Rd1Kf1A4cB.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00404D06 CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle, 0_2_00404D06
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00411ADE GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_00411ADE
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040A15D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_0040A15D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00409FE2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_00409FE2
Source: classification engine Classification label: mal84.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00416937 CoCreateInstance, 0_2_00416937

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Unpacked PE file: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack .text:ER;.rdata:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Unpacked PE file: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00405838 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_00405838
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040FE5C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_0040FE5C

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe API coverage: 2.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00415B2D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_00415B2D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00415BE8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_00415BE8
Source: Rd1Kf1A4cB.exe, 00000000.00000002.260413898.000000000077A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00414C0D mov edx, dword ptr fs:[00000030h] 0_2_00414C0D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00405838 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_00405838
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00403A5D HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,GetLengthSid,GetCurrentProcessId, 0_2_00403A5D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00404B6E LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection, 0_2_00404B6E
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00413873 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_00413873
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00410542 GetTimeZoneInformation, 0_2_00410542
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040F48A GetVersionExW,GetNativeSystemInfo, 0_2_0040F48A
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_00406940 RegOpenKeyExW,GetLocalTime, 0_2_00406940
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0040CEC4 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, 0_2_0040CEC4
May initialize a security null descriptor
Source: Rd1Kf1A4cB.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_0041369C HeapAlloc,socket,bind,closesocket, 0_2_0041369C
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exe Code function: 0_2_004133AC socket,bind,listen,closesocket, 0_2_004133AC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660113 Sample: Rd1Kf1A4cB.bin Startdate: 09/07/2022 Architecture: WINDOWS Score: 84 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 5 Rd1Kf1A4cB.exe 2->5         started        process3 signatures4 14 Detected unpacking (changes PE section rights) 5->14 16 Detected unpacking (overwrites its own PE header) 5->16 18 Found evasive API chain (may stop execution after checking mutex) 5->18 20 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 5->20
No contacted IP infos