Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe

Overview

General Information

Sample Name:#U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe
Analysis ID:719236
MD5:d32389e2207879f0b57835eabce6fb02
SHA1:23c2a0f0ac030766ae74b7fbfc242f3d77b0ff71
SHA256:b3f2810e4ba5c3341498d99807e2f200459eb2bd4d365b3ee52a20e9e12606c1
Tags:exe
Infos:

Detection

S500Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected S500Rat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Uses cmd line tools excessively to alter registry or file data
.NET source code contains potential unpacker
Uses schtasks.exe or at.exe to add and modify task schedules
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Yara detected ProcessChecker
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • #U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe (PID: 5220 cmdline: C:\Users\user\Desktop\#U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe MD5: D32389E2207879F0B57835EABCE6FB02)
    • NRHRAS.exe (PID: 5576 cmdline: "C:\Users\user\AppData\Local\Temp\NRHRAS.exe" MD5: 9B1C1C565D60ED67CB6E1986ACD95C3A)
      • attrib.exe (PID: 3080 cmdline: C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Stub MD5: FDC601145CD289C6FBC96D3F805F3CD7)
        • conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • attrib.exe (PID: 2932 cmdline: C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Stub\Chrome.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)
        • conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6016 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp1D8D.tmp.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 5148 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
        • Chrome.exe (PID: 4204 cmdline: "C:\Users\user\AppData\Roaming\Stub\Chrome.exe" MD5: 9B1C1C565D60ED67CB6E1986ACD95C3A)
          • powershell.exe (PID: 6116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit MD5: 95000560239032BC68B4C2FDFCDEF913)
            • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2468 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn UALDJT.exe /tr C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exe /sc minute /mo 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5880 cmdline: schtasks /create /tn UALDJT.exe /tr C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exe /sc minute /mo 1 MD5: 15FF7D8324231381BAD48A052F85DF04)
    • wscript.exe (PID: 5860 cmdline: WSCript C:\Users\user~1\AppData\Local\Temp\UALDJT.vbs MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • Acrobat Reader DC.exe (PID: 768 cmdline: "C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exe" MD5: D32389E2207879F0B57835EABCE6FB02)
  • Acrobat Reader DC.exe (PID: 3484 cmdline: "C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exe" MD5: D32389E2207879F0B57835EABCE6FB02)
  • Acrobat Reader DC.exe (PID: 2740 cmdline: "C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exe" MD5: D32389E2207879F0B57835EABCE6FB02)
  • cleanup
{"C2 list": ["127.0.0.1"], "Ports": ["7000"], "Mutex": "S500Mutex_YMXBWEGOQS", "Server Cert": "MIIE8DCCAtigAwIBAgIQAP+4gOK1KW7lhJ89mRqYpzANBgkqhkiG9w0BAQ0FADAZMRcwFQYDVQQDDA5TNTAwUkFUIFNlcnZlcjAgFw0yMjA2MTcxNTE5MzBaGA85OTk5MTIzMTIzNTk1OVowGTEXMBUGA1UEAwwOUzUwMFJBVCBTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3fyvyU4d/ZPjNQwlc/qOjufRLmEq7ZTMC4TTI5fRqE5f6rpjDRvLpVXWlb0vZezT9WjP7IouHQAtLW8ekT6VNfGc9AjlOeGEOPFq8Rx09uivwXFMRDF//eAKdkRJQ+ViVzoW78VOQKPVIvobAqlDhW4VkarXJcJ78xD1Sd6v4GH7pzDv71qQ+phI6o1TnWuUj4V6oD9kFwUjPy76H4Q5nrD1I7Buw8kk5yYNoh49sSkQt47PgXA21n3kWJ4+je4Owvoi4QI1Pt6BRd8upx03Wa3PxY7BLOXU7GA1fLiBMeC2nPQeuupWqO2QSu4vPvf6TNZMCWSV65AEZ1+X66xlH+PFlUGikLy0Wz65orKv2MvciNX/msyi2T55PF00nXs1b8oNq5Ap6DwTJBuzfoaRfuHjw0klLPfiZpAcnPr3vdoeUiV7S4r9tJumBgzAwpgKfAl/C8fGrDJFudCAnsrCPr9k6Vv193oE5G5vCTkE0va82xqhwCTZ5vOx3fLj6FR/YppbxFNq36ItTjPFE7V5hHKGTqWGxd8xwt/6gmyEl6Sl2IbhQ3E65Ft3ylSJmiFbq2hNvN0b7IKII/8EJ6MZV9bfexCHxbShmq6xevLjEt4RJypBcuP2p8alt8+9h6p31gWDx2u6WmGXlOLBV/WLYDZXJtqU9iX+fIrlVZm3YaQIDAQABozIwMDAdBgNVHQ4EFgQUhS2paTMkp4RHfUQ1rm9SeEIHK+4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAQPhYoe1Z0R5YOEBlWn8kSMQO87OURcff/jzHnl4lj38d67N5Rn4iXYRODbA/fJvLX+Vs5G3ZXSDbEln7Wclmqbn9M/sNXBNmST7nEEH+/rZ6IfUbN+XCzvHImbJJ+EONTElJ1ExHuzmgzVP/Wv3JSl0IOxNQ2P3+WwKMuYcVarUaDIQVvmJyUkBS97Qho3N/hTDFb7hay2tCJt7aXkSTCKHTlVsbo50slFz4lrKEmUD/2NCFfMMQhrtHQzWIao7ri37X9eTJTC/tPcIbdPxao6fY9WozFsBM+YLDmxo5RGfqV8PLBA5NXBicyeMqdZnRJ2UTQ4NgtLN2sI5q0LDqVagp0Qy+bUfF7wUq0E8X/xvNlLtFXG8oFkSAdcrvi9eJa5W2LsoX5adcycUjdH8D/Ax4msgtkXH7/gsPJbT7v/T7wxg2MqdxdLHvEgnrd195fETnoZMJAOlzSyLqBzV51iLwz0CApsczHtDe9wwl9gdVagA9dE1R1hYU90IjK8ZzM7www77PIjvmeIq0CZ/W34RooRYJAATiQqLtrGSKM6PXOt1vHqBkN6KmfV5fp7RYXutGMKxHtV03pwf33N5quaFq6Sm88r+RYFYH8JB+slEEUdBaPCa/AYRXWWfaV35/4fWkOj2CaS8VaupB7fodhTx/Klk9dyO+Y5YInnXVU+w="}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\UALDJT.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
    C:\Users\user\AppData\Roaming\Stub\Chrome.exeJoeSecurity_S500RatYara detected S500RatJoe Security
      C:\Users\user\AppData\Local\Temp\NRHRAS.exeJoeSecurity_S500RatYara detected S500RatJoe Security
        SourceRuleDescriptionAuthorStrings
        00000001.00000002.321313528.0000000002CD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_S500RatYara detected S500RatJoe Security
          00000001.00000000.238959755.00000000002F2000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_S500RatYara detected S500RatJoe Security
            00000005.00000002.634250998.00000000030A3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
              00000005.00000002.640455808.00000000032A6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                00000005.00000002.633552399.0000000003088000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                  Click to see the 2 entries
                  SourceRuleDescriptionAuthorStrings
                  1.2.NRHRAS.exe.2cda580.1.unpackJoeSecurity_S500RatYara detected S500RatJoe Security
                    1.0.NRHRAS.exe.2f0000.0.unpackJoeSecurity_S500RatYara detected S500RatJoe Security
                      1.2.NRHRAS.exe.2cda580.1.raw.unpackJoeSecurity_S500RatYara detected S500RatJoe Security
                        No Sigma rule has matched
                        Timestamp:192.168.2.7194.5.98.2124974055522849885 10/10/22-07:46:46.795098
                        SID:2849885
                        Source Port:49740
                        Destination Port:5552
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: C:\Users\user\AppData\Roaming\Stub\Chrome.exeAvira: detection malicious, Label: HEUR/AGEN.1203089
                        Source: C:\Users\user\AppData\Local\Temp\UALDJT.vbsAvira: detection malicious, Label: VBS/Runner.VPJI
                        Source: C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exeAvira: detection malicious, Label: HEUR/AGEN.1229397
                        Source: C:\Users\user\AppData\Local\Temp\NRHRAS.exeAvira: detection malicious, Label: HEUR/AGEN.1203089
                        Source: #U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exeAvira: detected
                        Source: C:\Users\user\AppData\Local\Temp\NRHRAS.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\AppData\Local\Temp\NRHRAS.exeVirustotal: Detection: 79%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\NRHRAS.exeMetadefender: Detection: 42%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Stub\Chrome.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\AppData\Roaming\Stub\Chrome.exeVirustotal: Detection: 79%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Stub\Chrome.exeMetadefender: Detection: 42%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.exeReversingLabs: Detection: 73%
                        Source: C:\Users\user\AppData\Roaming\Stub\Chrome.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\NRHRAS.exeJoe Sandbox ML: detected
                        Source: 0.3.#U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe.4110c48.1.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 0.3.#U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exe.40e8450.0.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 1.0.NRHRAS.exe.2f0000.0.unpackMalware Configuration Extractor: S500 Rat {"C2 list": ["127.0.0.1"], "Ports": ["7000"], "Mutex": "S500Mutex_YMXBWEGOQS", "Server Cert": "MIIE8DCCAtigAwIBAgIQAP+4gOK1KW7lhJ89mRqYpzANBgkqhkiG9w0BAQ0FADAZMRcwFQYDVQQDDA5TNTAwUkFUIFNlcnZlcjAgFw0yMjA2MTcxNTE5MzBaGA85OTk5MTIzMTIzNTk1OVowGTEXMBUGA1UEAwwOUzUwMFJBVCBTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3fyvyU4d/ZPjNQwlc/qOjufRLmEq7ZTMC4TTI5fRqE5f6rpjDRvLpVXWlb0vZezT9WjP7IouHQAtLW8ekT6VNfGc9AjlOeGEOPFq8Rx09uivwXFMRDF//eAKdkRJQ+ViVzoW78VOQKPVIvobAqlDhW4VkarXJcJ78xD1Sd6v4GH7pzDv71qQ+phI6o1TnWuUj4V6oD9kFwUjPy76H4Q5nrD1I7Buw8kk5yYNoh49sSkQt47PgXA21n3kWJ4+je4Owvoi4QI1Pt6BRd8upx03Wa3PxY7BLOXU7GA1fLiBMeC2nPQeuupWqO2QSu4vPvf6TNZMCWSV65AEZ1+X66xlH+PFlUGikLy0Wz65orKv2MvciNX/msyi2T55PF00nXs1b8oNq5Ap6DwTJBuzfoaRfuHjw0klLPfiZpAcnPr3vdoeUiV7S4r9tJumBgzAwpgKfAl/C8fGrDJFudCAnsrCPr9k6Vv193oE5G5vCTkE0va82xqhwCTZ5vOx3fLj6FR/YppbxFNq36ItTjPFE7V5hHKGTqWGxd8xwt/6gmyEl6Sl2IbhQ3E65Ft3ylSJmiFbq2hNvN0b7IKII/8EJ6MZV9bfexCHxbShmq6xevLjEt4RJypBcuP2p8alt8+9h6p31gWDx2u6WmGXlOLBV/WLYDZXJtqU9iX+fIrlVZm3YaQIDAQABozIwMDAdBgNVHQ4EFgQUhS2paTMkp4RHfUQ1rm9SeEIHK+4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAQPhYoe1Z0R5YOEBlWn8kSMQO87OURcff/jzHnl4lj38d67N5Rn4iXYRODbA/fJvLX+Vs5G3ZXSDbEln7Wclmqbn9M/sNXBNmST7nEEH+/rZ6IfUbN+XCzvHImbJJ+EONTElJ1ExHuzmgzVP/Wv3JSl0IOxNQ2P3+WwKMuYcVarUaDIQVvmJyUkBS97Qho3N/hTDFb7hay2tCJt7aXkSTCKHTlVsbo50slFz4lrKEmUD/2NCFfMMQhrtHQzWIao7ri37X9eTJTC/tPcIbdPxao6fY9WozFsBM+YLDmxo5RGfqV8PLBA5NXBicyeMqdZnRJ2UTQ4NgtLN2sI5q0LDqVagp0Qy+bUfF7wUq0E8X/xvNlLtFXG8oFkSAdcrvi9eJa5W2LsoX5adcycUjdH8D/Ax4msgtkXH7/gsPJbT7v/T7wxg2MqdxdLHvEgnrd195fETnoZMJAOlzSyLqBzV51iLwz0CApsczHtDe9wwl9gdVagA9dE1R1hYU90IjK8ZzM7www77PIjvmeIq0CZ/W34RooRYJAATiQqLtrGSKM6PXOt1vHqBkN6KmfV5fp7RYXutGMKxHtV03pwf33N5quaFq6Sm88r+RYFYH8JB+slEEUdBaPCa/AYRXWWfaV35/4fWkOj2CaS8VaupB7fodhTx/Klk9dyO+Y5YInnXVU+w="}
                        Source: #U91c7#U8d2d#U8ba2#U5355#U8981#U6c42 & #U7ed8#U56fe#U6837#U672c.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: C:\Users\user\AppData\Roaming\Windata\Acrobat Reader DC.e