Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Reciept.exe

Overview

General Information

Sample Name:Reciept.exe
Analysis ID:706873
MD5:6a4ee0ab3240bb566273aa968cea51d4
SHA1:149e1ff3e6cb977a8220b985599fb2e0929e0078
SHA256:de09ae47bc867cc2d931c49a3b77cb6107f48e8c00c38a7c3e57b85db8a80452
Tags:exeKutaki
Infos:

Detection

Kutaki
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Kutaki Keylogger
Antivirus / Scanner detection for submitted sample
Potential malicious icon found
Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Drops PE files to the startup folder
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses code obfuscation techniques (call, push, ret)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Abnormal high CPU Usage

Classification

  • System is w10x64
  • Reciept.exe (PID: 3932 cmdline: "C:\Users\user\Desktop\Reciept.exe" MD5: 6A4EE0AB3240BB566273AA968CEA51D4)
    • cmd.exe (PID: 6140 cmdline: cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ch.exe (PID: 5232 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe MD5: 6A4EE0AB3240BB566273AA968CEA51D4)
  • ch.exe (PID: 5188 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe" MD5: 6A4EE0AB3240BB566273AA968CEA51D4)
  • cleanup
{"C2 url": ["http://newbosslink.xyz/baba/new4.php"]}
SourceRuleDescriptionAuthorStrings
Reciept.exeJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000003.00000000.257096134.0000000000401000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
        00000000.00000000.252108144.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
          00000007.00000000.279445434.0000000000401000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
            00000007.00000002.294816135.0000000000401000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
              00000000.00000002.259858131.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
                Click to see the 2 entries
                SourceRuleDescriptionAuthorStrings
                7.0.ch.exe.400000.0.unpackJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
                  0.2.Reciept.exe.400000.0.unpackJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
                    3.0.ch.exe.400000.0.unpackJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
                      0.0.Reciept.exe.400000.0.unpackJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
                        7.2.ch.exe.400000.0.unpackJoeSecurity_KutakiYara detected Kutaki KeyloggerJoe Security
                          No Sigma rule has matched
                          No Snort rule has matched

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Source: Reciept.exeAvira: detected
                          Source: Reciept.exeReversingLabs: Detection: 40%
                          Source: Reciept.exeVirustotal: Detection: 42%Perma Link
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeAvira: detection malicious, Label: TR/Dropper.Gen
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeReversingLabs: Detection: 40%
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJoe Sandbox ML: detected
                          Source: Reciept.exeJoe Sandbox ML: detected
                          Source: 0.0.Reciept.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 7.0.ch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 3.0.ch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 0.2.Reciept.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: 7.2.ch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                          Source: Reciept.exeMalware Configuration Extractor: Kutaki {"C2 url": ["http://newbosslink.xyz/baba/new4.php"]}
                          Source: Reciept.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

                          Networking

                          barindex
                          Source: Malware configuration extractorIPs: http://newbosslink.xyz/baba/new4.php
                          Source: ch.exe, 00000003.00000003.354212015.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ch.exe, 00000003.00000003.353043943.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, ch.exe, 00000003.00000003.353360704.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, ch.exe, 00000003.00000003.354052976.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:///2.3fLy
                          Source: ch.exe, 00000003.00000003.413130550.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:///;.;

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Source: Yara matchFile source: Reciept.exe, type: SAMPLE
                          Source: Yara matchFile source: 7.0.ch.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Reciept.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.ch.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Reciept.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.ch.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000003.00000000.257096134.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.252108144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.279445434.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.294816135.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.259858131.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Reciept.exe PID: 3932, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: ch.exe PID: 5232, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe, type: DROPPED
                          Source: Reciept.exe, 00000000.00000002.260120014.000000000082A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          System Summary

                          barindex
                          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
                          Source: Reciept.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          Source: Reciept.exe, 00000000.00000003.259380833.00000000008CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename29.exe vs Reciept.exe
                          Source: Reciept.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: ch.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_0040BCBA0_2_0040BCBA
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004040840_2_00404084
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeCode function: 7_2_0040BCBA7_2_0040BCBA
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeCode function: 7_2_004040847_2_00404084
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeProcess Stats: CPU usage > 98%
                          Source: Reciept.exeReversingLabs: Detection: 40%
                          Source: Reciept.exeVirustotal: Detection: 42%
                          Source: C:\Users\user\Desktop\Reciept.exeFile read: C:\Users\user\Desktop\Reciept.exeJump to behavior
                          Source: Reciept.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\Reciept.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\Desktop\Reciept.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                          Source: unknownProcess created: C:\Users\user\Desktop\Reciept.exe "C:\Users\user\Desktop\Reciept.exe"
                          Source: C:\Users\user\Desktop\Reciept.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Reciept.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"
                          Source: C:\Users\user\Desktop\Reciept.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmpJump to behavior
                          Source: C:\Users\user\Desktop\Reciept.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJump to behavior
                          Source: C:\Users\user\Desktop\Reciept.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
                          Source: Reciept.exe, ch.exeBinary or memory string: abase.vbp
                          Source: Reciept.exe, 00000000.00000002.259898522.000000000041A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: w@*\AC:\Users\USER\Desktop\Martin-KL\Martin-KL\40-PrjTelDir\PrjTelDir.vbp
                          Source: Reciept.exe, ch.exeBinary or memory string: *\AC:\Users\USER\Desktop\Martin-KL\Martin-KL\40-PrjTelDir\PrjTelDir.vbp
                          Source: Reciept.exe, 00000000.00000000.252108144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Reciept.exe, 00000000.00000002.259858131.0000000000401000.00000020.00000001.01000000.00000003.sdmp, ch.exe, 00000003.00000000.257096134.0000000000401000.00000020.00000001.01000000.00000007.sdmpBinary or memory string: @*\AC:\Users\USER\Desktop\Martin-KL\Martin-KL\40-PrjTelDir\PrjTelDir.vbpabase.vbp,
                          Source: C:\Users\user\Desktop\Reciept.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJump to behavior
                          Source: C:\Users\user\Desktop\Reciept.exeFile created: C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmpJump to behavior
                          Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.evad.winEXE@8/2@0/1
                          Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403E4C push 0040123Ah; ret 0_2_00403E5F
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00404A4C push 0040123Ah; ret 0_2_00404A5F
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_0040764C push 0040123Ah; ret 0_2_0040765F
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403250 push 0040123Ah; ret 0_2_00403263
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403E60 push 0040123Ah; ret 0_2_00403E73
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00404A60 push 0040123Ah; ret 0_2_00404A73
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00407660 push 0040123Ah; ret 0_2_00407673
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403264 push 0040123Ah; ret 0_2_00403277
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403E74 push 0040123Ah; ret 0_2_00403E87
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00404A74 push 0040123Ah; ret 0_2_00404A87
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00407674 push 0040123Ah; ret 0_2_00407687
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_0040747B push 0040123Ah; ret 0_2_00407493
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403E10 push 0040123Ah; ret 0_2_00403E23
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00404A10 push 0040123Ah; ret 0_2_00404A23
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00407610 push 0040123Ah; ret 0_2_00407623
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403E24 push 0040123Ah; ret 0_2_00403E37
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00404A24 push 0040123Ah; ret 0_2_00404A37
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00407624 push 0040123Ah; ret 0_2_00407637
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403228 push 0040123Ah; ret 0_2_0040323B
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00403E38 push 0040123Ah; ret 0_2_00403E4B
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00404A38 push 0040123Ah; ret 0_2_00404A4B
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00407638 push 0040123Ah; ret 0_2_0040764B
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_0040323C push 0040123Ah; ret 0_2_0040324F
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_0040263D push 0040123Ah; ret 0_2_004026AF
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004026C4 push 0040123Ah; ret 0_2_004026D7
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004076C4 push 0040123Ah; ret 0_2_004076D7
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004074CB push 0040123Ah; ret 0_2_004074E3
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_00401CD0 push 0040123Ah; ret 0_2_00401D0B
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004036D0 push 0040123Ah; ret 0_2_004036E3
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004026D8 push 0040123Ah; ret 0_2_004026EB
                          Source: C:\Users\user\Desktop\Reciept.exeCode function: 0_2_004076D8 push 0040123Ah; ret 0_2_004076EB
                          Source: C:\Users\user\Desktop\Reciept.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJump to dropped file

                          Boot Survival

                          barindex
                          Source: C:\Users\user\Desktop\Reciept.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJump to dropped file
                          Source: C:\Users\user\Desktop\Reciept.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJump to behavior
                          Source: C:\Users\user\Desktop\Reciept.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Users\user\Desktop\Reciept.exeProcess information set: NOOPENFILEERRORBOX