Edit tour
Windows
Analysis Report
astx_setup.exe
Overview
General Information
| Sample Name: | astx_setup.exe |
| Analysis ID: | 755221 |
| MD5: | 7dd75b2c2e214c0347df3dc137161b19 |
| SHA1: | 072a03d9279d3ecbdb5a76c70a862a75fb50d95b |
| SHA256: | 06f360d2a25c75619cb769f56ced75d3d92cd339cb3ec2e3aa9c642ba6f3158f |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 34 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 20% |
Compliance
| Score: | 51 |
| Range: | 0 - 100 |
Signatures
Yara detected AntiVM3
Yara detected GuLoader
Found driver which could be used to inject code into processes
May modify the system service descriptor table (often done to hook functions)
Writes many files with high entropy
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Yara detected Keylogger Generic
Creates or modifies windows services
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Classification
Analysis Advice
| Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
| Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
| Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
| Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64_ra
astx_setup.exe (PID: 6348 cmdline: C:\Users\u ser\Deskto p\astx_set up.exe MD5: 7DD75B2C2E214C0347DF3DC137161B19) 
cmd.exe (PID: 6456 cmdline: C:\Windows \system32\ cmd.exe /C "ECHO Y| cacls C:\U sers\user\ AppData\Lo cal\Temp\a sfB6FB.tmp /s:D:PAI( A;;FA;;;BA )" MD5: 4943BA1A9B41D69643F69685E35B2943) - conhost.exe (PID: 6464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - cmd.exe (PID: 6512 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" EC HO Y" MD5: 4943BA1A9B41D69643F69685E35B2943) 
cacls.exe (PID: 6524 cmdline: cacls C:\U sers\user\ AppData\Lo cal\Temp\a sfB6FB.tmp /s:D:PAI( A;;FA;;;BA ) MD5: B304B0EF47E125F696425BD99096D3E3) - V3Medic.exe (PID: 6624 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\asfB6F B.tmp\V3Me dic.exe" MD5: F4116873D9C057697783C2C128708617) - SysX64.exe (PID: 7156 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\nsdE18B .tmp\SysX6 4.exe MD5: 9005E21833E657558F139A3D3945C97D) - conhost.exe (PID: 7164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - SysX64.exe (PID: 6204 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\nsdE18B .tmp\SysX6 4.exe MD5: 9005E21833E657558F139A3D3945C97D) - conhost.exe (PID: 6180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Code function: | 0_2_1007F680 | |
Compliance |   |
|---|
| Source: | Static PE information: | ||
| Source: | Window detected: | ||