Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
q4Z52wRd28.exe

Overview

General Information

Sample Name:q4Z52wRd28.exe
Analysis ID:749948
MD5:a687e1c326c9f03569bbfef53e21c315
SHA1:1993746a547c67807c1118501e1a7ff9261f7c8b
SHA256:8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
Tags:exeSmokeLoader
Infos:

Detection

Ursnif, Amadey, RedLine, SmokeLoader, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected Go Stealer
Yara detected Ursnif
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Opens the same file many times (likely Sandbox evasion)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Writes registry values via WMI
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges

Classification

  • System is w10x64
  • q4Z52wRd28.exe (PID: 5708 cmdline: C:\Users\user\Desktop\q4Z52wRd28.exe MD5: A687E1C326C9F03569BBFEF53E21C315)
    • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • A852.exe (PID: 6000 cmdline: C:\Users\user\AppData\Local\Temp\A852.exe MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)
        • rovwer.exe (PID: 4852 cmdline: "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)
          • schtasks.exe (PID: 2384 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6140 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cmd.exe (PID: 68 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • cacls.exe (PID: 2016 cmdline: CACLS "rovwer.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
            • cacls.exe (PID: 5168 cmdline: CACLS "rovwer.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
            • cmd.exe (PID: 5444 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • cacls.exe (PID: 5484 cmdline: CACLS "..\99e342142d" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
            • cacls.exe (PID: 5608 cmdline: CACLS "..\99e342142d" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • rundll32.exe (PID: 4964 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • B4A7.exe (PID: 3080 cmdline: C:\Users\user\AppData\Local\Temp\B4A7.exe MD5: F96144B1D5B53D93CAADDDADE38DB5E9)
      • CF35.exe (PID: 4392 cmdline: C:\Users\user\AppData\Local\Temp\CF35.exe MD5: 44A7E13ECC55CE9797C5121B230D9927)
        • RegSvcs.exe (PID: 5128 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)
      • E35A.exe (PID: 4252 cmdline: C:\Users\user\AppData\Local\Temp\E35A.exe MD5: 19A79DADDFAAC09499E79ADE27E756F8)
      • EB2B.exe (PID: 5512 cmdline: C:\Users\user\AppData\Local\Temp\EB2B.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
        • EB2B.exe (PID: 5628 cmdline: C:\Users\user\AppData\Local\Temp\EB2B.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
          • EB2B.exe (PID: 5828 cmdline: C:\Users\user\AppData\Local\Temp\EB2B.exe MD5: F46063253FF38E6B2452BF4410C5FEC0)
            • cmd.exe (PID: 1852 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\EB2B.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • timeout.exe (PID: 5980 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • F771.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\F771.exe MD5: DF920AEBFABB8C4CCCEB4DCEAD922ABD)
      • explorer.exe (PID: 5644 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 5656 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 5876 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 5068 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 3932 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 408 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 4972 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 5248 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • cttgcew (PID: 4220 cmdline: C:\Users\user\AppData\Roaming\cttgcew MD5: A687E1C326C9F03569BBFEF53E21C315)
  • rovwer.exe (PID: 5372 cmdline: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)
  • cleanup
{"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}
{"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
{"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}
{"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dllINDICATOR_TOOL_PWS_AmadyDetects password stealer