Edit tour
Windows
Analysis Report
JeCXrQSehB.exe
Overview
General Information
Detection
Vermin Keylogger
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Vermin Keylogger
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Disables Windows Defender (via service or powershell)
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Machine Learning detection for sample
May check the online IP address of the machine
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- JeCXrQSehB.exe (PID: 3480 cmdline:
C:\Users\u ser\Deskto p\JeCXrQSe hB.exe MD5: 17E6BFFAFF1EA223913DEB1BC78E74AE) - schtasks.exe (PID: 2296 cmdline:
"schtasks" /create / tn "Venom Client Sta rtup" /sc ONLOGON /t r "C:\User s\user\Des ktop\JeCXr QSehB.exe" /rl HIGHE ST /f MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Client.exe (PID: 4204 cmdline:
C:\Users\u ser\AppDat a\Roaming\ UPX\Client .exe MD5: 17E6BFFAFF1EA223913DEB1BC78E74AE) - schtasks.exe (PID: 2308 cmdline:
"schtasks" /create / tn "Venom Client Sta rtup" /sc ONLOGON /t r "C:\User s\user\App Data\Roami ng\UPX\Cli ent.exe" / rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 4884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5264 cmdline:
"powershel l" Get-MpP reference -verbose MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5256 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 1776 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sableArchi veScanning $true MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 1540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5272 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sableBlock AtFirstSee n $true MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 4488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 4732 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sableIOAVP rotection $true MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5728 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sablePriva cyMode $tr ue MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 4852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 2896 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sableRealt imeMonitor ing $true MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5428 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sableScrip tScanning $true MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5452 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Hi ghThreatDe faultActio n 6 -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5612 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Lo wThreatDef aultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 2912 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -MA PSReportin g 0 MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)