Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OMHGCG.exe

Overview

General Information

Sample Name:OMHGCG.exe
Analysis ID:756309
MD5:fae47086c34007307f6e2cd0c47a97d8
SHA1:00caba8b2c7d23a2acc78f54155db976d902f2c4
SHA256:00973673a54cfd2a206c7695fa86077d1a1803629d7207b1e5fb295255a25ae2
Tags:exeLodaRat
Infos:

Detection

LodaRAT
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected LodaRAT
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64