Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1icHGAo2uY.exe

Overview

General Information

Sample Name:1icHGAo2uY.exe
Analysis ID:725299
MD5:9fdc2feb79c86790bee69e140ed9b1b9
SHA1:7eed01f680a97a7e5ff0b8b39faea9590c2f3dc0
SHA256:29842f71bd503e86896ae4b274aa21a0eaa67144ad83e2df89072ea8e8458fd0
Tags:exe
Infos:

Detection

CryptbotV2
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected CryptbotV2
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Self deletion via cmd or bat file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Found C&C like URL pattern
C2 URLs / IPs found in malware configuration
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 1icHGAo2uY.exe (PID: 5420 cmdline: C:\Users\user\Desktop\1icHGAo2uY.exe MD5: 9FDC2FEB79C86790BEE69E140ED9B1B9)
    • cmd.exe (PID: 4500 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\521DAFDF9C07DA0F\endyma.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • endyma.exe (PID: 2216 cmdline: C:\Users\user\AppData\Roaming\521DAFDF9C07DA0F\endyma.exe MD5: C5AF489798080EF09451F8CC09E1C5E2)
        • DpEditor.exe (PID: 1380 cmdline: C:\Users\user\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe MD5: C5AF489798080EF09451F8CC09E1C5E2)
    • cmd.exe (PID: 1016 cmdline: C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\user\Desktop\1icHGAo2uY.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6136 cmdline: timeout -t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup
{"C2 list": ["http://pefejo12.top/gate.php"], "EdgeDB": "true", "HistoryEdge": "false", "HistoryFirefox": "false", "Opera": "false", "CookiesEdge": "false", "Edge": "false", "ChromeDB": "true", "CookiesOpera": "false", "Wallet": "true", "CookiesFirefox": "false", "HistoryOpera": "false", "Desktop": "true", "Screenshot": "true", "EdgeExt": "true", "Chrome": "false", "Firefox": "false", "FirefoxDB": "true", "CookiesChrome": "false", "ChromeExt": "true", "HistoryChrome": "false", "FirefoxDBFolder": "_Firefox", "PasswordFile": "_AllPasswords.txt", "ChromeDBFolder": "_Chrome", "WalletFolder": "_Wallet", "EdgeDBFolder": "_Edge", "DesktopFolder": "_Desktop", "UserAgent": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36", "Prefix": "mrd-", "DeleteAfterEnd": "true", "ScreenFile": "$CREEN.PNG", "MessageAfterEnd": "false", "ExternalDownload": "http://vupmex01.top/endyma.dat", "InfoFile": "_Information.txt", "HistoryFile": "_AllHistory.txt", "CookiesFile": "_AllCookies.txt", "UAC": "false", "NTFS": "true"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.298813798.0000000001480000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
    00000000.00000002.300019054.000000000165A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
      Process Memory Space: 1icHGAo2uY.exe PID: 5420JoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
        No Sigma rule has matched
        Timestamp:192.168.2.78.8.8.859477532023883 10/18/22-13:28:03.133913
        SID:2023883
        Source Port:59477
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.780.76.42.14149700802038918 10/18/22-13:28:03.845341
        SID:2038918
        Source Port:49700
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.780.76.42.14149700802022985 10/18/22-13:28:03.845341
        SID:2022985
        Source Port:49700
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.780.76.42.14149700802017930 10/18/22-13:28:03.845341
        SID:2017930
        Source Port:49700
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 1icHGAo2uY.exeReversingLabs: Detection: 53%
        Source: 1icHGAo2uY.exeAvira: detected
        Source: C:\Users\user\AppData\Roaming\521DAFDF9C07DA0F\endyma.exeReversingLabs: Detection: 63%
        Source: C:\Users\user\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeReversingLabs: Detection: 63%
        Source: 8.2.endyma.exe.a70000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 13.2.DpEditor.exe.110000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 00000000.00000002.298813798.0000000001480000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Cryptbot V2 {"C2 list": ["http://pefejo12.top/gate.php"], "EdgeDB": "true", "HistoryEdge": "false", "HistoryFirefox": "false", "Opera": "false", "CookiesEdge": "false", "Edge": "false", "ChromeDB": "true", "CookiesOpera": "false", "Wallet": "true", "CookiesFirefox": "false", "HistoryOpera": "false", "Desktop": "true", "Screenshot": "true", "EdgeExt": "true", "Chrome": "false", "Firefox": "false", "FirefoxDB": "true", "CookiesChrome": "false", "ChromeExt": "true", "HistoryChrome": "false", "FirefoxDBFolder": "_Firefox", "PasswordFile": "_AllPasswords.txt", "ChromeDBFolder": "_Chrome", "WalletFolder": "_Wallet", "EdgeDBFolder": "_Edge", "DesktopFolder": "_Desktop", "UserAgent": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36", "Prefix": "mrd-", "DeleteAfterEnd": "true", "ScreenFile": "$CREEN.PNG", "MessageAfterEnd": "false", "ExternalDownload": "http://vupmex01.top/endyma.dat", "InfoFile": "_Information.txt", "HistoryFile": "_AllHistory.txt", "CookiesFile": "_AllCookies.txt", "UAC": "false", "NTFS": "true"}
        Source: 1icHGAo2uY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE