Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
conhost.exe

Overview

General Information

Sample Name:conhost.exe
Analysis ID:753421
MD5:8c9dca7a1d21e402c885d50af18737d1
SHA1:39cdfb61bf1a94d064a5ac5648ab552ca20be539
SHA256:7cb6264b793849e31f23a7eb4f18f59a71fd3e44760be9d6052bbcdc2dfdf15c
Infos:

Detection

CryptOne, SystemBC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Yara detected SystemBC
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Found evasive API chain (may stop execution after checking a module file name)
Creates job files (autostart)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Found large amount of non-executed APIs

Classification

Process Tree

  • System is w10x64
  • conhost.exe (PID: 3648 cmdline: C:\Users\user\Desktop\conhost.exe MD5: 8C9DCA7A1D21E402C885D50AF18737D1)
  • conhost.exe (PID: 3924 cmdline: C:\Users\user\Desktop\conhost.exe start MD5: 8C9DCA7A1D21E402C885D50AF18737D1)
  • cleanup

Malware Configuration

Threatname: SystemBC

{"HOST1": "207.148.1.174", "HOST2": "146.70.53.169", "PORT1": "443", "TOR": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmpEXT_MAL_SystemBC_Mar22_1Detects unpacked SystemBC module as used by Emotet in March 2022Thomas Barabosch, Deutsche Telekom Security
  • 0x516d:$sx1: -WindowStyle Hidden -ep bypass -file
  • 0x5000:$sx2: BEGINDATA
  • 0x51a9:$sx3: GET %s HTTP/1.0
  • 0x51c4:$s5: User-Agent:
  • 0x5115:$s8: ALLUSERSPROFILE
00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_SystemBCYara detected SystemBCJoe Security
    00000001.00000002.326977694.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_EXEPWSH_DLAgentDetects SystemBCditekSHen
    • 0x5162:$pwsh: powershell
    • 0x51a9:$s1: GET %s HTTP/1
    • 0x51c4:$s2: User-Agent:
    • 0x516d:$s3: -WindowStyle Hidden -ep bypass -file "
    • 0x519e:$s4: LdrLoadDll
    • 0x5000:$v1: BEGINDATA
    • 0x500a:$v2: HOST1:
    • 0x503c:$v2: HOST2:
    • 0x506e:$v3: PORT1:
    • 0x507a:$v4: TOR:
    • 0x5108:$v5: Fwow64
    • 0x510f:$v6: start
    00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmpEXT_MAL_SystemBC_Mar22_1Detects unpacked SystemBC module as used by Emotet in March 2022Thomas Barabosch, Deutsche Telekom Security
    • 0x32e1:$sx1: -WindowStyle Hidden -ep bypass -file
    • 0x3174:$sx2: BEGINDATA
    • 0x331d:$sx3: GET %s HTTP/1.0
    • 0x3338:$s5: User-Agent:
    • 0x3289:$s8: ALLUSERSPROFILE
    00000001.00000002.327790803.0000000002B50000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_SystemBCYara detected SystemBCJoe Security
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.conhost.exe.2b50174.2.raw.unpackEXT_MAL_SystemBC_Mar22_1Detects unpacked SystemBC module as used by Emotet in March 2022Thomas Barabosch, Deutsche Telekom Security
      • 0x316d:$sx1: -WindowStyle Hidden -ep bypass -file
      • 0x3000:$sx2: BEGINDATA
      • 0x31a9:$sx3: GET %s HTTP/1.0
      • 0x31c4:$s5: User-Agent:
      • 0x3115:$s8: ALLUSERSPROFILE
      1.2.conhost.exe.2b50174.2.raw.unpackJoeSecurity_SystemBCYara detected SystemBCJoe Security
        1.2.conhost.exe.2b50174.2.raw.unpackMALWARE_Win_EXEPWSH_DLAgentDetects SystemBCditekSHen
        • 0x3162:$pwsh: powershell
        • 0x31a9:$s1: GET %s HTTP/1
        • 0x31c4:$s2: User-Agent:
        • 0x316d:$s3: -WindowStyle Hidden -ep bypass -file "
        • 0x319e:$s4: LdrLoadDll
        • 0x3000:$v1: BEGINDATA
        • 0x300a:$v2: HOST1:
        • 0x303c:$v2: HOST2:
        • 0x306e:$v3: PORT1:
        • 0x307a:$v4: TOR:
        • 0x3108:$v5: Fwow64
        • 0x310f:$v6: start
        1.2.conhost.exe.400000.0.unpackEXT_MAL_SystemBC_Mar22_1Detects unpacked SystemBC module as used by Emotet in March 2022Thomas Barabosch, Deutsche Telekom Security
        • 0x316d:$sx1: -WindowStyle Hidden -ep bypass -file
        • 0x3000:$sx2: BEGINDATA
        • 0x31a9:$sx3: GET %s HTTP/1.0
        • 0x31c4:$s5: User-Agent:
        • 0x3115:$s8: ALLUSERSPROFILE
        1.2.conhost.exe.400000.0.unpackJoeSecurity_SystemBCYara detected SystemBCJoe Security
          Click to see the 7 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: conhost.exeReversingLabs: Detection: 21%
          Machine Learning detection for sample
          Source: conhost.exeJoe Sandbox ML: detected
          Source: 1.2.conhost.exe.2990000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.conhost.exe.2b50174.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.conhost.exe.400000.0.unpackMalware Configuration Extractor: SystemBC {"HOST1": "207.148.1.174", "HOST2": "146.70.53.169", "PORT1": "443", "TOR": ""}

          Compliance

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\conhost.exeUnpacked PE file: 1.2.conhost.exe.400000.0.unpack
          Source: conhost.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 207.148.1.174
          Source: Malware configuration extractorURLs: 146.70.53.169
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
          Source: Joe Sandbox ViewIP Address: 146.70.53.169 146.70.53.169
          Source: unknownNetwork traffic detected: HTTP traffic on port 57084 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 59265 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 62435 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 64616 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 61580 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49451 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 52633 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 61109 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50452 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50440 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49463 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63773 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 59253 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 64628 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 51777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 60266 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 54802 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 52645 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50464 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 60242 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 57096 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 51319 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50439 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63303 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 61122 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 61592 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 60278 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 62411 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 52608 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 54814 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 51789 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 53958 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 62447 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 51320 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 59290 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 62460 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 64641 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 61134 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 60229 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 53934 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63315 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49426 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 51753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49438 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 60230 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 59289 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 62459 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 57047 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 53946 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 51765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63327 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 61543 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
          Source: unknown