Edit tour
Windows
Analysis Report
1icHGAo2uY.exe
Overview
General Information
Detection
CryptbotV2
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected CryptbotV2
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Self deletion via cmd or bat file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Found C&C like URL pattern
C2 URLs / IPs found in malware configuration
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- 1icHGAo2uY.exe (PID: 5420 cmdline:
C:\Users\u ser\Deskto p\1icHGAo2 uY.exe MD5: 9FDC2FEB79C86790BEE69E140ED9B1B9) - cmd.exe (PID: 4500 cmdline:
"C:\Window s\System32 \cmd.exe" /c C:\User s\user\App Data\Roami ng\521DAFD F9C07DA0F\ endyma.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - endyma.exe (PID: 2216 cmdline:
C:\Users\u ser\AppDat a\Roaming\ 521DAFDF9C 07DA0F\end yma.exe MD5: C5AF489798080EF09451F8CC09E1C5E2) - DpEditor.exe (PID: 1380 cmdline:
C:\Users\u ser\AppDat a\Roaming\ NCH Softwa re\DrawPad \DpEditor. exe MD5: C5AF489798080EF09451F8CC09E1C5E2) - cmd.exe (PID: 1016 cmdline:
C:\Windows \System32\ cmd.exe" / c timeout -t 5 && de l "C:\User s\user\Des ktop\1icHG Ao2uY.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6112 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 6136 cmdline:
timeout - t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
- cleanup
{"C2 list": ["http://pefejo12.top/gate.php"], "EdgeDB": "true", "HistoryEdge": "false", "HistoryFirefox": "false", "Opera": "false", "CookiesEdge": "false", "Edge": "false", "ChromeDB": "true", "CookiesOpera": "false", "Wallet": "true", "CookiesFirefox": "false", "HistoryOpera": "false", "Desktop": "true", "Screenshot": "true", "EdgeExt": "true", "Chrome": "false", "Firefox": "false", "FirefoxDB": "true", "CookiesChrome": "false", "ChromeExt": "true", "HistoryChrome": "false", "FirefoxDBFolder": "_Firefox", "PasswordFile": "_AllPasswords.txt", "ChromeDBFolder": "_Chrome", "WalletFolder": "_Wallet", "EdgeDBFolder": "_Edge", "DesktopFolder": "_Desktop", "UserAgent": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36", "Prefix": "mrd-", "DeleteAfterEnd": "true", "ScreenFile": "$CREEN.PNG", "MessageAfterEnd": "false", "ExternalDownload": "http://vupmex01.top/endyma.dat", "InfoFile": "_Information.txt", "HistoryFile": "_AllHistory.txt", "CookiesFile": "_AllCookies.txt", "UAC": "false", "NTFS": "true"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CryptbotV2 | Yara detected CryptbotV2 | Joe Security | ||
JoeSecurity_CryptbotV2 | Yara detected CryptbotV2 | Joe Security | ||
JoeSecurity_CryptbotV2 | Yara detected CryptbotV2 | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.78.8.8.859477532023883 10/18/22-13:28:03.133913 |
SID: | 2023883 |
Source Port: | 59477 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 192.168.2.780.76.42.14149700802038918 10/18/22-13:28:03.845341 |
SID: | 2038918 |
Source Port: | 49700 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.780.76.42.14149700802022985 10/18/22-13:28:03.845341 |
SID: | 2022985 |
Source Port: | 49700 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.780.76.42.14149700802017930 10/18/22-13:28:03.845341 |
SID: | 2017930 |
Source Port: | 49700 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Avira: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |