Edit tour
Windows
Analysis Report
4dzlU0beKB.exe
Overview
General Information
Detection
Phorpiex
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Phorpiex
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to detect sleep reduction / modifications
Contains functionality to check if Internet connection is working
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality for read data from the clipboard
Classification
- System is w10x64
- 4dzlU0beKB.exe (PID: 2372 cmdline:
"C:\Users\ user\Deskt op\4dzlU0b eKB.exe" MD5: FE304E909FB1F67C4D9030FC74D0A2F1) - 2314729694.scr (PID: 3508 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2314729 694.scr MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A) - winrecsv.exe (PID: 868 cmdline:
C:\Windows \winrecsv. exe MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A)
- winrecsv.exe (PID: 4860 cmdline:
"C:\Window s\winrecsv .exe" MD5: ED2D7B25BB360CCCB4F0F6A4F8732D7A) - 2201832713.exe (PID: 2028 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2201832 713.exe MD5: 8F56F0F0C9A4AA6C0BDA072D8BF7C769)
- cleanup
{"C2 url": "http://185.215.113.66/twizt/", "Wallet": ["12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc", "1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD", "3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg", "3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz", "lskbjrchofkmqtugfw28ot7jzv96u75xzyb5bvoop", "qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8", "DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG", "0xb899fC445a1b61Cdd62266795193203aa72351fE", "LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7", "r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1", "TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5", "t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy", "terra1smy8jurjwm790qrt5z3qrsyrx9a3lcwehvzmw3", "tz1fpBZAB1jz7RsefBjT94VR3h5VzL4akg6L", "hxc65003fbd738014cf286edf92f9ddac689ec4de5", "QYHny85SWYTLcZFFNNoVovyN15eNbwZdW6", "RRQ9QGcqnHEqJAbcEjs9X3EYsEfXrZPvEi", "NC7YTU5BSOVDYRUPWA3KUXP437AEZ7JNE2H3EYGI", "AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX", "SNCjaBTsinQUDTjBvBoDLVm2AnN2qXeMCs", "zil14rxudm29xzmu9cyk0mcwvrlxm086evuawjy2ev", "s1dSgik6QuCDrRnw9yvtrLCvRLDemi2juJe", "bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k", "cosmos156h8kejuwm3n7ywpwajplfzahgum8lenvkezny", "4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK", "addr1q8ujsfumgrpjvp2v6s3cfndz7yqf7cgpnjfpdlqxfphwfa0e9qneksxrycz5e4prsnx69ugqnassr8yjzm7qvjrwun6s6dfsrt", "aPSfmf1H5DNksgcUMV39NPJcSj832L2okm", "FeGdLZrnbVLsmiY9tZ4ssoRjdLDxiigQBL", "GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY", "GSdrN7W3GsqsxqaXg4x9k5C8cf1uJeoFFg", "bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky", "band1f2nuxcxahrph4n4gpy4lndsp5q342fz0yjh945", "bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 3_2_0040AB50 | |
Source: | Code function: | 4_2_0040AB50 | |
Source: | Code function: | 9_2_0040AB50 |
Phishing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |