Windows Analysis Report
qOiBFeRq7X.exe

Overview

General Information

Sample Name: qOiBFeRq7X.exe
Analysis ID: 708237
MD5: e350cbab3b64e8f7e523619721392d21
SHA1: 719c508f86b5e0a5c97d90dfad8aa30ca5f344f9
SHA256: b25478bd070ab292272094d6a9793a0e7eba11340b2693258eccd6876196c5e3
Tags: 185-25-204-244ServereasySrlexeMorpheus
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains more sections than normal
Potential time zone aware malware
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names

Classification

AV Detection

barindex
Source: qOiBFeRq7X.exe Virustotal: Detection: 7% Perma Link
Source: qOiBFeRq7X.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: global traffic TCP traffic: 192.168.2.6:49708 -> 185.25.204.244:9090
Source: unknown TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknown TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknown TCP traffic detected without corresponding DNS query: 185.25.204.244
Source: qOiBFeRq7X.exe Binary or memory string: github.com/gonutz/w32/v2.getRawInputData
Source: qOiBFeRq7X.exe Static PE information: Number of sections : 14 > 10
Source: qOiBFeRq7X.exe Static PE information: Section: /19 ZLIB complexity 0.9957361985125858
Source: qOiBFeRq7X.exe Static PE information: Section: /32 ZLIB complexity 0.9980690696022727
Source: qOiBFeRq7X.exe Static PE information: Section: /65 ZLIB complexity 0.9984093597374848
Source: qOiBFeRq7X.exe Virustotal: Detection: 7%
Source: qOiBFeRq7X.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: qOiBFeRq7X.exe String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: classification engine Classification label: mal48.winEXE@2/0@0/1
Source: unknown Process created: C:\Users\user\Desktop\qOiBFeRq7X.exe "C:\Users\user\Desktop\qOiBFeRq7X.exe"
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
Source: qOiBFeRq7X.exe Static file information: File size 4145664 > 1048576
Source: qOiBFeRq7X.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: qOiBFeRq7X.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12f400
Source: qOiBFeRq7X.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x132600
Source: qOiBFeRq7X.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: qOiBFeRq7X.exe Static PE information: section name: /4
Source: qOiBFeRq7X.exe Static PE information: section name: /19
Source: qOiBFeRq7X.exe Static PE information: section name: /32
Source: qOiBFeRq7X.exe Static PE information: section name: /46
Source: qOiBFeRq7X.exe Static PE information: section name: /65
Source: qOiBFeRq7X.exe Static PE information: section name: /78
Source: qOiBFeRq7X.exe Static PE information: section name: /90
Source: qOiBFeRq7X.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\qOiBFeRq7X.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: qOiBFeRq7X.exe, 00000000.00000002.259002698.000002D0DA2D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs