Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO No. 3200005919.exe

Overview

General Information

Sample Name:PO No. 3200005919.exe
Analysis ID:755357
MD5:9453cdcf8221341d06bac47b8ab3aa19
SHA1:c35a23cdc61eb42594e1a39a23ccae06399263c0
SHA256:7490acc48d1659234d61c1716c0d549880a98375f502502b60dcc71b49f7f14f
Infos:

Detection

Azorult, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Azorult
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Self deletion via cmd or bat file
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Bitcoin Wallet information
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Queries information about the installed CPU (vendor, model number etc)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • PO No. 3200005919.exe (PID: 6564 cmdline: C:\Users\user\Desktop\PO No. 3200005919.exe MD5: 9453CDCF8221341D06BAC47B8AB3AA19)
    • PO No. 3200005919.exe (PID: 5920 cmdline: C:\Users\user\Desktop\PO No. 3200005919.exe MD5: 9453CDCF8221341D06BAC47B8AB3AA19)
      • cmd.exe (PID: 3152 cmdline: C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PO No. 3200005919.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • timeout.exe (PID: 580 cmdline: C:\Windows\system32\timeout.exe 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.7268634345.000000001D92C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000005.00000002.7267996696.000000001D8D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000005.00000002.7257083339.000000001D3C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        00000001.00000002.7116762893.0000000004120000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000005.00000000.6901415186.0000000001660000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.PO No. 3200005919.exe.1de7883c.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.PO No. 3200005919.exe.1de7883c.3.raw.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                5.2.PO No. 3200005919.exe.1de7883c.3.raw.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
                • 0x32285c:$string1: SELECT origin_url, username_value, password_value FROM logins
                • 0x3269b7:$string1: SELECT origin_url, username_value, password_value FROM logins
                • 0x197172:$string2: API call with %s database connection pointer
                • 0x197da6:$string3: os_win.c:%d: (%lu) %s(%s) - %s
                5.2.PO No. 3200005919.exe.1de22afc.5.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  5.2.PO No. 3200005919.exe.1de22afc.5.raw.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                    Click to see the 4 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.11.20104.21.2.649830802029468 11/28/22-16:37:02.608409
                    SID:2029468
                    Source Port:49830
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:104.21.2.6192.168.11.2080498302029137 11/28/22-16:37:03.671390
                    SID:2029137
                    Source Port:80
                    Destination Port:49830
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: PO No. 3200005919.exeReversingLabs: Detection: 61%
                    Source: PO No. 3200005919.exeVirustotal: Detection: 47%Perma Link