Edit tour
Windows
Analysis Report
#U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe
Overview
General Information
Detection
S500Rat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected S500Rat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Uses cmd line tools excessively to alter registry or file data
.NET source code contains potential unpacker
Uses schtasks.exe or at.exe to add and modify task schedules
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Yara detected ProcessChecker
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
- #U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe (PID: 5220 cmdline:
C:\Users\u ser\Deskto p\#U91c7#U 8d2d#U8ba2 #U5355#U89 81#U6c42 & #U7ed8#U5 6fe#U6837# U672c.exe MD5: D32389E2207879F0B57835EABCE6FB02) - NRHRAS.exe (PID: 5576 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\NRHRAS .exe" MD5: 9B1C1C565D60ED67CB6E1986ACD95C3A) - attrib.exe (PID: 3080 cmdline:
C:\Windows \System32\ attrib.exe " +s +h "C :\Users\us er\AppData \Roaming\S tub MD5: FDC601145CD289C6FBC96D3F805F3CD7) - conhost.exe (PID: 2028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - attrib.exe (PID: 2932 cmdline:
C:\Windows \System32\ attrib.exe " +s +h "C :\Users\us er\AppData \Roaming\S tub\Chrome .exe MD5: FDC601145CD289C6FBC96D3F805F3CD7) - conhost.exe (PID: 4220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6016 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmp1 D8D.tmp.ba t"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 5148 cmdline:
timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18) - Chrome.exe (PID: 4204 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Stub\Chro me.exe" MD5: 9B1C1C565D60ED67CB6E1986ACD95C3A) - powershell.exe (PID: 6116 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Ex clusionExt ension exe ,bat,dll,p s1;exit MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2468 cmdline:
C:\Windows \system32\ cmd.exe /c schtasks /create /t n UALDJT.e xe /tr C:\ Users\user \AppData\R oaming\Win data\Acrob at Reader DC.exe /sc minute /m o 1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5880 cmdline:
schtasks / create /tn UALDJT.ex e /tr C:\U sers\user\ AppData\Ro aming\Wind ata\Acroba t Reader D C.exe /sc minute /mo 1 MD5: 15FF7D8324231381BAD48A052F85DF04) - wscript.exe (PID: 5860 cmdline:
WSCript C: \Users\use r~1\AppDat a\Local\Te mp\UALDJT. vbs MD5: 7075DD7B9BE8807FCA93ACD86F724884)
- Acrobat Reader DC.exe (PID: 768 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Windata\A crobat Rea der DC.exe " MD5: D32389E2207879F0B57835EABCE6FB02)
- Acrobat Reader DC.exe (PID: 3484 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Windata\A crobat Rea der DC.exe " MD5: D32389E2207879F0B57835EABCE6FB02)
- Acrobat Reader DC.exe (PID: 2740 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Windata\A crobat Rea der DC.exe " MD5: D32389E2207879F0B57835EABCE6FB02)
- cleanup
{"C2 list": ["127.0.0.1"], "Ports": ["7000"], "Mutex": "S500Mutex_YMXBWEGOQS", "Server Cert": "MIIE8DCCAtigAwIBAgIQAP+4gOK1KW7lhJ89mRqYpzANBgkqhkiG9w0BAQ0FADAZMRcwFQYDVQQDDA5TNTAwUkFUIFNlcnZlcjAgFw0yMjA2MTcxNTE5MzBaGA85OTk5MTIzMTIzNTk1OVowGTEXMBUGA1UEAwwOUzUwMFJBVCBTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3fyvyU4d/ZPjNQwlc/qOjufRLmEq7ZTMC4TTI5fRqE5f6rpjDRvLpVXWlb0vZezT9WjP7IouHQAtLW8ekT6VNfGc9AjlOeGEOPFq8Rx09uivwXFMRDF//eAKdkRJQ+ViVzoW78VOQKPVIvobAqlDhW4VkarXJcJ78xD1Sd6v4GH7pzDv71qQ+phI6o1TnWuUj4V6oD9kFwUjPy76H4Q5nrD1I7Buw8kk5yYNoh49sSkQt47PgXA21n3kWJ4+je4Owvoi4QI1Pt6BRd8upx03Wa3PxY7BLOXU7GA1fLiBMeC2nPQeuupWqO2QSu4vPvf6TNZMCWSV65AEZ1+X66xlH+PFlUGikLy0Wz65orKv2MvciNX/msyi2T55PF00nXs1b8oNq5Ap6DwTJBuzfoaRfuHjw0klLPfiZpAcnPr3vdoeUiV7S4r9tJumBgzAwpgKfAl/C8fGrDJFudCAnsrCPr9k6Vv193oE5G5vCTkE0va82xqhwCTZ5vOx3fLj6FR/YppbxFNq36ItTjPFE7V5hHKGTqWGxd8xwt/6gmyEl6Sl2IbhQ3E65Ft3ylSJmiFbq2hNvN0b7IKII/8EJ6MZV9bfexCHxbShmq6xevLjEt4RJypBcuP2p8alt8+9h6p31gWDx2u6WmGXlOLBV/WLYDZXJtqU9iX+fIrlVZm3YaQIDAQABozIwMDAdBgNVHQ4EFgQUhS2paTMkp4RHfUQ1rm9SeEIHK+4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAQPhYoe1Z0R5YOEBlWn8kSMQO87OURcff/jzHnl4lj38d67N5Rn4iXYRODbA/fJvLX+Vs5G3ZXSDbEln7Wclmqbn9M/sNXBNmST7nEEH+/rZ6IfUbN+XCzvHImbJJ+EONTElJ1ExHuzmgzVP/Wv3JSl0IOxNQ2P3+WwKMuYcVarUaDIQVvmJyUkBS97Qho3N/hTDFb7hay2tCJt7aXkSTCKHTlVsbo50slFz4lrKEmUD/2NCFfMMQhrtHQzWIao7ri37X9eTJTC/tPcIbdPxao6fY9WozFsBM+YLDmxo5RGfqV8PLBA5NXBicyeMqdZnRJ2UTQ4NgtLN2sI5q0LDqVagp0Qy+bUfF7wUq0E8X/xvNlLtFXG8oFkSAdcrvi9eJa5W2LsoX5adcycUjdH8D/Ax4msgtkXH7/gsPJbT7v/T7wxg2MqdxdLHvEgnrd195fETnoZMJAOlzSyLqBzV51iLwz0CApsczHtDe9wwl9gdVagA9dE1R1hYU90IjK8ZzM7www77PIjvmeIq0CZ/W34RooRYJAATiQqLtrGSKM6PXOt1vHqBkN6KmfV5fp7RYXutGMKxHtV03pwf33N5quaFq6Sm88r+RYFYH8JB+slEEUdBaPCa/AYRXWWfaV35/4fWkOj2CaS8VaupB7fodhTx/Klk9dyO+Y5YInnXVU+w="}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ProcessChecker | Yara detected ProcessChecker | Joe Security | ||
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security | ||
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security | ||
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security | ||
JoeSecurity_ProcessChecker | Yara detected ProcessChecker | Joe Security | ||
JoeSecurity_ProcessChecker | Yara detected ProcessChecker | Joe Security | ||
JoeSecurity_ProcessChecker | Yara detected ProcessChecker | Joe Security | ||
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security | ||
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security | ||
JoeSecurity_S500Rat | Yara detected S500Rat | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.7194.5.98.2124974055522849885 10/10/22-07:46:46.795098 |
SID: | 2849885 |
Source Port: | 49740 |
Destination Port: | 5552 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: |