Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S2XJ2wbz7u.exe

Overview

General Information

Sample Name:S2XJ2wbz7u.exe
Analysis ID:749806
MD5:ffb4cf34b38f126c917e1c1e1d26df73
SHA1:36e558fdb10418aa971aea3f02d6ba1f4d566ed2
SHA256:4a47fdbb09dd09ea813c0475d32f693cbbded09b3753def43179f91e1a8f8a55
Tags:exeRedLineStealer
Infos:

Detection

Ursnif, Amadey, RedLine, SmokeLoader, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Opens the same file many times (likely Sandbox evasion)
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Connects to a URL shortener service
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • S2XJ2wbz7u.exe (PID: 6020 cmdline: C:\Users\user\Desktop\S2XJ2wbz7u.exe MD5: FFB4CF34B38F126C917E1C1E1D26DF73)
    • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • 2B4A.exe (PID: 5260 cmdline: C:\Users\user\AppData\Local\Temp\2B4A.exe MD5: 2DEE200193091BE2F2321D921750C4ED)
      • 3790.exe (PID: 2336 cmdline: C:\Users\user\AppData\Local\Temp\3790.exe MD5: 5E08968D858224A33175069D64DC7F39)
        • rovwer.exe (PID: 4764 cmdline: "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" MD5: 5E08968D858224A33175069D64DC7F39)
          • schtasks.exe (PID: 1396 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5972 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cmd.exe (PID: 3012 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • cacls.exe (PID: 4392 cmdline: CACLS "rovwer.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
            • cacls.exe (PID: 4984 cmdline: CACLS "rovwer.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
            • cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • cacls.exe (PID: 5668 cmdline: CACLS "..\99e342142d" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
            • cacls.exe (PID: 3124 cmdline: CACLS "..\99e342142d" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
      • 453D.exe (PID: 4024 cmdline: C:\Users\user\AppData\Local\Temp\453D.exe MD5: F96144B1D5B53D93CAADDDADE38DB5E9)
      • 59FE.exe (PID: 5228 cmdline: C:\Users\user\AppData\Local\Temp\59FE.exe MD5: 44A7E13ECC55CE9797C5121B230D9927)
      • 6644.exe (PID: 1916 cmdline: C:\Users\user\AppData\Local\Temp\6644.exe MD5: 19A79DADDFAAC09499E79ADE27E756F8)
      • 6CEC.exe (PID: 4968 cmdline: C:\Users\user\AppData\Local\Temp\6CEC.exe MD5: 28A6112DCB54CE6886F7D9ACB8A15E31)
        • conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vbc.exe (PID: 5496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
      • 816F.exe (PID: 1172 cmdline: C:\Users\user\AppData\Local\Temp\816F.exe MD5: 730A7A6F235525238EE33A2C046C2BA7)
      • 86EE.exe (PID: 4972 cmdline: C:\Users\user\AppData\Local\Temp\86EE.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
        • 86EE.exe (PID: 5560 cmdline: C:\Users\user\AppData\Local\Temp\86EE.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
          • 86EE.exe (PID: 5068 cmdline: C:\Users\user\AppData\Local\Temp\86EE.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
      • 8C00.exe (PID: 5400 cmdline: C:\Users\user\AppData\Local\Temp\8C00.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
        • 8C00.exe (PID: 5936 cmdline: C:\Users\user\AppData\Local\Temp\8C00.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
      • explorer.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 5928 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 5080 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 3780 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • tiddsjj (PID: 3152 cmdline: C:\Users\user\AppData\Roaming\tiddsjj MD5: FFB4CF34B38F126C917E1C1E1D26DF73)
  • rovwer.exe (PID: 2560 cmdline: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe MD5: 5E08968D858224A33175069D64DC7F39)
  • cleanup
{"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}
{"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
{"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}
{"C2 url": ["http