Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
DanaBot, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Classification
- System is w10x64
- file.exe (PID: 5964 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 9916148F32A362EAC0ABBF128E88E96B) - explorer.exe (PID: 3452 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - 2BC9.exe (PID: 712 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2BC9.ex e MD5: 459C6ECD112648FF13D0FFA917A938BD) - 7za.exe (PID: 3672 cmdline:
C:\Windows \system32\ 7za.exe MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 2912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - 4EE2.exe (PID: 3248 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\4EE2.ex e MD5: 7C1B6CA0476E2C572628034BDEAF5E3C)
- utitbii (PID: 3308 cmdline:
C:\Users\u ser\AppDat a\Roaming\ utitbii MD5: 9916148F32A362EAC0ABBF128E88E96B)
- 4EE2.exe (PID: 3220 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\4EE2.e xe" MD5: 7C1B6CA0476E2C572628034BDEAF5E3C)
- cleanup
{"C2 list": ["http://citnet.ru/tmp/", "http://ekcentric.com/tmp/", "http://cracker.biz/tmp/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Click to see the 20 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
Click to see the 3 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.6175.126.109.1549711802851815 10/03/22-16:02:14.846797 |
SID: | 2851815 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6211.53.230.6749715802851815 10/03/22-16:02:21.311939 |
SID: | 2851815 |
Source Port: | 49715 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.126.109.1549730802851815 10/03/22-16:02:44.772680 |
SID: | 2851815 |
Source Port: | 49730 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.126.109.1549739802851815 10/03/22-16:02:58.898507 |
SID: | 2851815 |
Source Port: | 49739 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6181.167.134.2449732802851815 10/03/22-16:02:46.390980 |
SID: | 2851815 |
Source Port: | 49732 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.684.224.193.20049709802851815 10/03/22-16:02:11.455142 |
SID: | 2851815 |
Source Port: | 49709 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6211.53.230.6749720802851815 10/03/22-16:02:29.179301 |
SID: | 2851815 |
Source Port: | 49720 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.126.109.1549722802851815 10/03/22-16:02:32.120683 |
SID: | 2851815 |
Source Port: | 49722 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.684.224.193.20049719802851815 10/03/22-16:02:28.462445 |
SID: | 2851815 |
Source Port: | 49719 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.119.10.23149726802851815 10/03/22-16:02:38.913124 |
SID: | 2851815 |
Source Port: | 49726 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6138.36.3.13449740802851815 10/03/22-16:03:00.341262 |
SID: | 2851815 |
Source Port: | 49740 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6138.36.3.13449729802851815 10/03/22-16:02:43.502144 |
SID: | 2851815 |
Source Port: | 49729 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6211.53.230.6749746802851815 10/03/22-16:03:07.580559 |
SID: | 2851815 |
Source Port: | 49746 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.126.109.1549734802851815 10/03/22-16:02:49.117185 |
SID: | 2851815 |
Source Port: | 49734 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6138.36.3.13449741802851815 10/03/22-16:03:01.525351 |
SID: | 2851815 |
Source Port: | 49741 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.126.109.1549725802851815 10/03/22-16:02:36.667925 |
SID: | 2851815 |
Source Port: | 49725 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6175.126.109.1549712802851815 10/03/22-16:02:16.370323 |
SID: | 2851815 |
Source Port: | 49712 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6181.167.134.2449738802851815 10/03/22-16:02:56.557715 |
SID: | 2851815 |
Source Port: | 49738 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: |