Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4dzlU0beKB.exe

Overview

General Information

Sample Name:4dzlU0beKB.exe
Analysis ID:693554
MD5:fe304e909fb1f67c4d9030fc74d0a2f1
SHA1:1102fb973b3b83bbd5749db3ceb9405443c09dfe
SHA256:a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
Tags:32exetrojan
Infos:

Detection

Phorpiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Phorpiex
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Contains functionality to check if Internet connection is working
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • 4dzlU0beKB.exe (PID: 2372 cmdline: "C:\Users\user\Desktop\4dzlU0beKB.exe" MD5: FE304E909FB1F67C4D9030FC74D0A2F1)
    • 2314729694.scr (PID: 3508 cmdline: C:\Users\user\AppData\Local\Temp\2314729694.scr MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A)
      • winrecsv.exe (PID: 868 cmdline: C:\Windows\winrecsv.exe MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A)
  • winrecsv.exe (PID: 4860 cmdline: "C:\Windows\winrecsv.exe" MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A)
    • 2201832713.exe (PID: 2028 cmdline: C:\Users\user\AppData\Local\Temp\2201832713.exe MD5: 8F56F0F0C9A4AA6C0BDA072D8BF7C769)
  • cleanup
{"C2 url": "http://185.215.113.66/twizt/", "Wallet": ["12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc", "1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD", "3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg", "3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz", "lskbjrchofkmqtugfw28ot7jzv96u75xzyb5bvoop", "qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8", "DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG", "0xb899fC445a1b61Cdd62266795193203aa72351fE", "LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7", "r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1", "TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5", "t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy", "terra1smy8jurjwm790qrt5z3qrsyrx9a3lcwehvzmw3", "tz1fpBZAB1jz7RsefBjT94VR3h5VzL4akg6L", "hxc65003fbd738014cf286edf92f9ddac689ec4de5", "QYHny85SWYTLcZFFNNoVovyN15eNbwZdW6", "RRQ9QGcqnHEqJAbcEjs9X3EYsEfXrZPvEi", "NC7YTU5BSOVDYRUPWA3KUXP437AEZ7JNE2H3EYGI", "AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX", "SNCjaBTsinQUDTjBvBoDLVm2AnN2qXeMCs", "zil14rxudm29xzmu9cyk0mcwvrlxm086evuawjy2ev", "s1dSgik6QuCDrRnw9yvtrLCvRLDemi2juJe", "bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "cosmos156h8kejuwm3n7ywpwajplfzahgum8lenvkezny", "4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK", "addr1q8ujsfumgrpjvp2v6s3cfndz7yqf7cgpnjfpdlqxfphwfa0e9qneksxrycz5e4prsnx69ugqnassr8yjzm7qvjrwun6s6dfsrt", "aPSfmf1H5DNksgcUMV39NPJcSj832L2okm", "FeGdLZrnbVLsmiY9tZ4ssoRjdLDxiigQBL", "GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY", "GSdrN7W3GsqsxqaXg4x9k5C8cf1uJeoFFg", "bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky", "band1f2nuxcxahrph4n4gpy4lndsp5q342fz0yjh945", "bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v"]}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\2314729694.scrJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
    C:\Windows\winrecsv.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].pngJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
        SourceRuleDescriptionAuthorStrings
        00000004.00000002.281020089.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
          00000009.00000002.522368443.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
            00000009.00000000.298830190.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
              00000003.00000003.277857750.00000000006B3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                00000004.00000000.277775782.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                  Click to see the 5 entries
                  SourceRuleDescriptionAuthorStrings
                  3.2.2314729694.scr.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                    4.2.winrecsv.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                      3.0.2314729694.scr.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                        9.0.winrecsv.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                          4.0.winrecsv.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                            Click to see the 1 entries
                            No Sigma rule has matched
                            No Snort rule has matched

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Source: 4dzlU0beKB.exeVirustotal: Detection: 75%Perma Link
                            Source: 4dzlU0beKB.exeReversingLabs: Detection: 62%
                            Source: 4dzlU0beKB.exeAvira: detected
                            Source: http://185.215.113.66/twizt/984658winrecsv.exeWindowsAvira URL Cloud: Label: malware
                            Source: http://185.215.113.66/tpeinf.phpAvira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/6Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/5Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/2Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/1Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/4Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/twizt/3Avira URL Cloud: Label: malware
                            Source: http://185.215.113.66/tpeinf.phpVirustotal: Detection: 15%Perma Link
                            Source: http://185.215.113.66/twizt/6Virustotal: Detection: 11%Perma Link
                            Source: http://185.215.113.66/twizt/5Virustotal: Detection: 10%Perma Link
                            Source: http://185.215.113.66/twizt/Virustotal: Detection: 11%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\2314729694.scrAvira: detection malicious, Label: HEUR/AGEN.1237550
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].pngAvira: detection malicious, Label: HEUR/AGEN.1237550
                            Source: C:\Users\user\AppData\Local\Temp\2201832713.exeAvira: detection malicious, Label: HEUR/AGEN.1239737
                            Source: C:\Windows\winrecsv.exeAvira: detection malicious, Label: HEUR/AGEN.1237550
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].pngMetadefender: Detection: 68%Perma Link
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].pngReversingLabs: Detection: 96%
                            Source: C:\Users\user\AppData\Local\Temp\2201832713.exeReversingLabs: Detection: 35%
                            Source: C:\Users\user\AppData\Local\Temp\2314729694.scrMetadefender: Detection: 68%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\2314729694.scrReversingLabs: Detection: 96%
                            Source: C:\Windows\winrecsv.exeMetadefender: Detection: 68%Perma Link
                            Source: C:\Windows\winrecsv.exeReversingLabs: Detection: 96%
                            Source: 4dzlU0beKB.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\2314729694.scrJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].pngJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\2201832713.exeJoe Sandbox ML: detected
                            Source: C:\Windows\winrecsv.exeJoe Sandbox ML: detected
                            Source: 3.0.2314729694.scr.400000.0.unpackMalware Configuration Extractor: Phorpiex {"C2 url": "http://185.215.113.66/twizt/", "Wallet": ["12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc", "1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD", "3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg", "3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz", "lskbjrchofkmqtugfw28ot7jzv96u75xzyb5bvoop", "qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8", "DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG", "0xb899fC445a1b61Cdd62266795193203aa72351fE", "LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7", "r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1", "TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5", "t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy", "terra1smy8jurjwm790qrt5z3qrsyrx9a3lcwehvzmw3", "tz1fpBZAB1jz7RsefBjT94VR3h5VzL4akg6L", "hxc65003fbd738014cf286edf92f9ddac689ec4de5", "QYHny85SWYTLcZFFNNoVovyN15eNbwZdW6", "RRQ9QGcqnHEqJAbcEjs9X3EYsEfXrZPvEi", "NC7YTU5BSOVDYRUPWA3KUXP437AEZ7JNE2H3EYGI", "AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX", "SNCjaBTsinQUDTjBvBoDLVm2AnN2qXeMCs", "zil14rxudm29xzmu9cyk0mcwvrlxm086evuawjy2ev", "s1dSgik6QuCDrRnw9yvtrLCvRLDemi2juJe", "bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "cosmos156h8kejuwm3n7ywpwajplfzahgum8lenvkezny", "4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK", "addr1q8ujsfumgrpjvp2v6s3cfndz7yqf7cgpnjfpdlqxfphwfa0e9qneksxrycz5e4prsnx69ugqnassr8yjzm7qvjrwun6s6dfsrt", "aPSfmf1H5DNksgcUMV39NPJcSj832L2okm", "FeGdLZrnbVLsmiY9tZ4ssoRjdLDxiigQBL", "GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY", "GSdrN7W3GsqsxqaXg4x9k5C8cf1uJeoFFg", "bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky", "band1f2nuxcxahrph4n4gpy4lndsp5q342fz0yjh945", "bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v"]}
                            Source: C:\Users\user\AppData\Local\Temp\2314729694.scrCode function: 3_2_0040AB50 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,3_2_0040AB50
                            Source: C:\Windows\winrecsv.exeCode function: 4_2_0040AB50 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,4_2_0040AB50
                            Source: C:\Windows\winrecsv.exeCode function: 9_2_0040AB50 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,9_2_0040AB50

                            Phishing

                            barindex
                            Source: Yara matchFile source: 3.2.2314729694.scr.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.winrecsv.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.2314729694.scr.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.0.winrecsv.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.winrecsv.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.winrecsv.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000002.281020089.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.522368443.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000000.298830190.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.277857750.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.277775782.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.271515410.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.280898564.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 2314729694.scr PID: 3508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: winrecsv.exe PID: 868, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: winrecsv.exe PID: 4860, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\2314729694.scr, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\winrecsv.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\tpeinf[1].png, type: DROPPED