Edit tour
Windows
Analysis Report
q4Z52wRd28.exe
Overview
General Information
| Sample Name: | q4Z52wRd28.exe |
| Analysis ID: | 749948 |
| MD5: | a687e1c326c9f03569bbfef53e21c315 |
| SHA1: | 1993746a547c67807c1118501e1a7ff9261f7c8b |
| SHA256: | 8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74 |
| Tags: | exeSmokeLoader |
| Infos: |  |
 | |
Detection
Ursnif, Amadey, RedLine, SmokeLoader, Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected Go Stealer
Yara detected Ursnif
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Opens the same file many times (likely Sandbox evasion)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Writes registry values via WMI
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Classification
- System is w10x64
q4Z52wRd28.exe (PID: 5708 cmdline: C:\Users\u ser\Deskto p\q4Z52wRd 28.exe MD5: A687E1C326C9F03569BBFEF53E21C315) 
explorer.exe (PID: 3452 cmdline: C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) 
A852.exe (PID: 6000 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\A852.ex e MD5: 0E455D9C65E7D53A67C227DCD8D70FB8) - rovwer.exe (PID: 4852 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\99e342 142d\rovwe r.exe" MD5: 0E455D9C65E7D53A67C227DCD8D70FB8) 
schtasks.exe (PID: 2384 cmdline: "C:\Window s\System32 \schtasks. exe" /Crea te /SC MIN UTE /MO 1 /TN rovwer .exe /TR " C:\Users\u ser\AppDat a\Local\Te mp\99e3421 42d\rovwer .exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04) 
conhost.exe (PID: 2364 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6140 cmdline:
"C:\Window s\System32 \cmd.exe" /k echo Y| CACLS "rov wer.exe" / P "user:N" &&CACLS "r ovwer.exe" /P "user: R" /E&&ech o Y|CACLS "..\99e342 142d" /P " user:N"&&C ACLS "..\9 9e342142d" /P "user: R" /E&&Exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 68 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 2016 cmdline:
CACLS "rov wer.exe" / P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 5168 cmdline:
CACLS "rov wer.exe" / P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cmd.exe (PID: 5444 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 5484 cmdline:
CACLS "..\ 99e342142d " /P "user :N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 5608 cmdline:
CACLS "..\ 99e342142d " /P "user :R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) 
rundll32.exe (PID: 4964 cmdline: "C:\Window s\System32 \rundll32. exe" C:\Us ers\user\A ppData\Roa ming\a091e c0a6e2227\ cred64.dll , Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) 
B4A7.exe (PID: 3080 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\B4A7.ex e MD5: F96144B1D5B53D93CAADDDADE38DB5E9) - CF35.exe (PID: 4392 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\CF35.ex e MD5: 44A7E13ECC55CE9797C5121B230D9927) - RegSvcs.exe (PID: 5128 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF) 
E35A.exe (PID: 4252 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\E35A.ex e MD5: 19A79DADDFAAC09499E79ADE27E756F8) - EB2B.exe (PID: 5512 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\EB2B.ex e MD5: F46063253FF38E6B2452BF4410C5FEC0) - EB2B.exe (PID: 5628 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\EB2B.ex e MD5: F46063253FF38E6B2452BF4410C5FEC0) - EB2B.exe (PID: 5828 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\EB2B.ex e MD5: F46063253FF38E6B2452BF4410C5FEC0) - cmd.exe (PID: 1852 cmdline:
"C:\Window s\System32 \cmd.exe" /c timeout /t 6 & de l /f /q "C :\Users\us er\AppData \Local\Tem p\EB2B.exe " & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5944 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 5980 cmdline:
timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659) 
F771.exe (PID: 5640 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\F771.ex e MD5: DF920AEBFABB8C4CCCEB4DCEAD922ABD) - explorer.exe (PID: 5644 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 5656 cmdline:
C:\Windows \explorer. exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 5816 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 5876 cmdline:
C:\Windows \explorer. exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 5068 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 3932 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 408 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - explorer.exe (PID: 4972 cmdline:
C:\Windows \explorer. exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 5248 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- cttgcew (PID: 4220 cmdline:
C:\Users\u ser\AppDat a\Roaming\ cttgcew MD5: A687E1C326C9F03569BBFEF53E21C315)
- rovwer.exe (PID: 5372 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\99e3421 42d\rovwer .exe MD5: 0E455D9C65E7D53A67C227DCD8D70FB8)
- cleanup
{"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}{"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}{"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}{"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| INDICATOR_TOOL_PWS_Amady | Detects password stealer |