Edit tour
Windows
Analysis Report
S2XJ2wbz7u.exe
Overview
General Information
Detection
Ursnif, Amadey, RedLine, SmokeLoader, Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Opens the same file many times (likely Sandbox evasion)
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Connects to a URL shortener service
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- S2XJ2wbz7u.exe (PID: 6020 cmdline:
C:\Users\u ser\Deskto p\S2XJ2wbz 7u.exe MD5: FFB4CF34B38F126C917E1C1E1D26DF73) - explorer.exe (PID: 3452 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - 2B4A.exe (PID: 5260 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2B4A.ex e MD5: 2DEE200193091BE2F2321D921750C4ED) - 3790.exe (PID: 2336 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\3790.ex e MD5: 5E08968D858224A33175069D64DC7F39) - rovwer.exe (PID: 4764 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\99e342 142d\rovwe r.exe" MD5: 5E08968D858224A33175069D64DC7F39) - schtasks.exe (PID: 1396 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /SC MIN UTE /MO 1 /TN rovwer .exe /TR " C:\Users\u ser\AppDat a\Local\Te mp\99e3421 42d\rovwer .exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5972 cmdline:
"C:\Window s\System32 \cmd.exe" /k echo Y| CACLS "rov wer.exe" / P "user:N" &&CACLS "r ovwer.exe" /P "user: R" /E&&ech o Y|CACLS "..\99e342 142d" /P " user:N"&&C ACLS "..\9 9e342142d" /P "user: R" /E&&Exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3012 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 4392 cmdline:
CACLS "rov wer.exe" / P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 4984 cmdline:
CACLS "rov wer.exe" / P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cmd.exe (PID: 5640 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 5668 cmdline:
CACLS "..\ 99e342142d " /P "user :N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 3124 cmdline:
CACLS "..\ 99e342142d " /P "user :R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - 453D.exe (PID: 4024 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\453D.ex e MD5: F96144B1D5B53D93CAADDDADE38DB5E9) - 59FE.exe (PID: 5228 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\59FE.ex e MD5: 44A7E13ECC55CE9797C5121B230D9927) - 6644.exe (PID: 1916 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\6644.ex e MD5: 19A79DADDFAAC09499E79ADE27E756F8) - 6CEC.exe (PID: 4968 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\6CEC.ex e MD5: 28A6112DCB54CE6886F7D9ACB8A15E31) - conhost.exe (PID: 408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - vbc.exe (PID: 5496 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\vbc. exe MD5: B3A917344F5610BEEC562556F11300FA) - 816F.exe (PID: 1172 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\816F.ex e MD5: 730A7A6F235525238EE33A2C046C2BA7) - 86EE.exe (PID: 4972 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\86EE.ex e MD5: F46063253FF38E6B2452BF4410C5FEC0) - 8C00.exe (PID: 5400 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\8C00.ex e MD5: F46063253FF38E6B2452BF4410C5FEC0) - 8C00.exe (PID: 5936 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\8C00.ex e MD5: F46063253FF38E6B2452BF4410C5FEC0) - explorer.exe (PID: 5612 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 5928 cmdline:
C:\Windows \explorer. exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 1768 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 5080 cmdline:
C:\Windows \explorer. exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 3780 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- tiddsjj (PID: 3152 cmdline:
C:\Users\u ser\AppDat a\Roaming\ tiddsjj MD5: FFB4CF34B38F126C917E1C1E1D26DF73)
- rovwer.exe (PID: 2560 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\99e3421 42d\rovwer .exe MD5: 5E08968D858224A33175069D64DC7F39)
- cleanup
{"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}
{"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
{"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}
{"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
INDICATOR_TOOL_PWS_Amady | Detects password stealer DLL. Dropped by Amadey | ditekSHen |
| |
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
INDICATOR_TOOL_PWS_Amady | Detects password stealer DLL. Dropped by Amadey | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Click to see the 62 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 40 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.377.232.37.22849729802851815 11/19/22-10:38:14.789628 |
SID: | 2851815 |
Source Port: | 49729 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.377.232.37.22849733802851815 11/19/22-10:38:20.903452 |
SID: | 2851815 |
Source Port: | 49733 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.377.232.37.22849725802851815 11/19/22-10:38:10.657737 |
SID: | 2851815 |
Source Port: | 49725 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.389.208.107.21649738802018581 11/19/22-10:38:23.294845 |
SID: | 2018581 |
Source Port: | 49738 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Domain query: |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | DNS query: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |