Edit tour
Windows
Analysis Report
cqu7x.exe
Overview
General Information
Detection
Ursnif, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Writes registry values via WMI
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- cqu7x.exe (PID: 1924 cmdline:
C:\Users\u ser\Deskto p\cqu7x.ex e MD5: E449924B8AA04FA2E032511CF86D2482) - explorer.exe (PID: 3528 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - 3196.exe (PID: 5156 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\3196.ex e MD5: 969DB79BF21624D4135B30DF17777ABA) - loader_250246_15072022_2203_31102022.exe (PID: 3524 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\loader _250246_15 072022_220 3_31102022 .exe" MD5: F777E421EAB950176F802D8B92A50F7A)
- vcivdjd (PID: 5384 cmdline:
C:\Users\u ser\AppDat a\Roaming\ vcivdjd MD5: E449924B8AA04FA2E032511CF86D2482)
- cleanup
{"RSA Public Key": "srPNiXjpv7wJ4ljQO2Cz+d/1vQBpygFC+rxzA2ZfCG08A38OH/syLbdWurZUpeEopKx867ngBKiBCYKNKuEDO5TdpRu4icgODSbD5/RNGSb+8EPLgpbbUWScIJhsIrETgOb66YOp+zXevxRZPgG4/Be11WPFR9E0BCGig1wWjBqPcgDkZrDVTybbNAiB7WBjbG26Z+ggDYdJguf/gj1lSfHj+pVn5ZXxO1AaPWJ6kcSiCUWT5R2TFH550ig+/ppqRx4AuhLwYOZC0vaWmmGmwIQY5kixhB7e1gjnjAY57OHcecvOgqGpesvGL4Tg09kRioFbkNzrDQj66EB4YZ2LyeusAf9F2LccLOvlZsjgV04=", "c2_domain": ["telemetry.skype.com", "spotuoyoliusdd.ru", "sspotuoyobermanoba4.ru", "gdospotuoyluiprada8.ru", "messpotuoyoosd.ru", "klspotuoyka93hhu8.ru", "chespotuoynedr.ru"], "botnet": "15072022", "server": "50", "serpent_key": "NAyL8tmsHrJ4ZWxJ", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
{"C2 list": ["http://klenoviycdesss.ru/", "http://pali44unkis9.ru/", "http://goalichkindomik.ru/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
Windows_Trojan_Gozi_261f5ac5 | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Click to see the 16 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 3 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.437.140.192.15849695802851815 11/11/22-12:22:52.606242 |
SID: | 2851815 |
Source Port: | 49695 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Code function: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Domain query: | ||
Source: | Domain query: |
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |