Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
666.exe

Overview

General Information

Sample Name:666.exe
Analysis ID:728891
MD5:a2415c70a55fc6411f9679a0cb5a9041
SHA1:d440db44a8ffe43111dacbc59edb7f1ff09e0fa9
SHA256:4cb0b838560c4e859b8aa29c40fffde2f196a827eda7f69a2b766299651c50df
Infos:

Detection

DarkTortilla, Eternity Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected Eternity Stealer
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Found Tor onion address
Tries to harvest and steal WLAN passwords
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal Bitcoin Wallet information
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Connects to a pastebin service (likely for C&C)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • 666.exe (PID: 2856 cmdline: C:\Users\user\Desktop\666.exe MD5: A2415C70A55FC6411F9679A0CB5A9041)
    • JheRFreeJe.exe (PID: 5184 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JheRFreeJe.exe" MD5: F2CE67E03006106A1B4AFEFBA7ABB94C)
    • InstallUtil.exe (PID: 2808 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • cmd.exe (PID: 1796 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 2284 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
        • netsh.exe (PID: 4724 cmdline: netsh wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • findstr.exe (PID: 6048 cmdline: findstr All MD5: 8B534A7FC0630DE41BB1F98C882C19EC)
      • cmd.exe (PID: 1776 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 4032 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
        • netsh.exe (PID: 6016 cmdline: netsh wlan show profile name="65001" key=clear MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • findstr.exe (PID: 4500 cmdline: findstr Key MD5: 8B534A7FC0630DE41BB1F98C882C19EC)
  • cleanup
{"C2 url": ["http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion/"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.477126360.00000000033E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000002.00000002.579486286.00000000030DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_EternityStealerYara detected Eternity StealerJoe Security
      00000002.00000002.579614747.00000000030F6000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
      • 0x3e70:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
      00000000.00000002.481759289.00000000034DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        Process Memory Space: 666.exe PID: 2856JoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          Click to see the 3 entries
          SourceRuleDescriptionAuthorStrings
          0.2.666.exe.72ba968.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x47c3c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x47cae:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x47d38:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x47dca:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x47e34:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x47ea6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x47f3c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x47fcc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          2.0.InstallUtil.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            2.0.InstallUtil.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x49a3c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x49aae:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x49b38:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x49bca:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x49c34:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x49ca6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x49d3c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x49dcc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            0.3.666.exe.52197a2.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.3.666.exe.52197a2.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x49a3c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x49aae:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x49b38:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x49bca:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x49c34:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x49ca6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x49d3c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x49dcc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              Click to see the 5 entries

              Stealing of Sensitive Information

              barindex
              Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 2808, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 1796, ProcessName: cmd.exe
              Timestamp:192.168.2.523.226.74.1634970463522032083 10/24/22-09:21:49.562972
              SID:2032083
              Source Port:49704
              Destination Port:6352
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:23.226.74.163192.168.2.56352497042032084 10/24/22-09:21:55.434864
              SID:2032084
              Source Port:6352
              Destination Port:49704
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection