Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5GPueTFF2S.exe

Overview

General Information

Sample Name:5GPueTFF2S.exe
Analysis ID:764034
MD5:7d124bc23be85d73b1177143f41b5e72
SHA1:09633b90a0b993fd4dec6d522a1243433fc3ab10
SHA256:04805512d670fb5f37bdf17bf00aae6976650f82c0b4bd342f3506d204f7aea2
Tags:32exetrojan
Infos:

Detection

Amadey, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Amadeys stealer DLL
Malicious sample detected (through community Yara rule)
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Uses cacls to modify the permissions of files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 5GPueTFF2S.exe (PID: 5848 cmdline: C:\Users\user\Desktop\5GPueTFF2S.exe MD5: 7D124BC23BE85D73B1177143F41B5E72)
    • 75873290272674793137.exe (PID: 6132 cmdline: "C:\ProgramData\75873290272674793137.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
      • gntuud.exe (PID: 5292 cmdline: "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
        • schtasks.exe (PID: 5724 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 3644 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cacls.exe (PID: 3856 cmdline: CACLS "gntuud.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • cacls.exe (PID: 4760 cmdline: CACLS "gntuud.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • cmd.exe (PID: 4384 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cacls.exe (PID: 5932 cmdline: CACLS "..\03bd543fce" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
          • cacls.exe (PID: 4532 cmdline: CACLS "..\03bd543fce" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
        • rundll32.exe (PID: 5968 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • cmd.exe (PID: 5576 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3216 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • gntuud.exe (PID: 5956 cmdline: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
  • cleanup
{"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}
{"C2 url": ["http://135.181.10.220:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
SourceRuleDescriptionAuthorStrings
00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
    00000012.00000002.518241260.00000000000A1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000001.00000002.445175041.0000000000F71000.00000020.00000001.01000000.00000006.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 9 entries
            SourceRuleDescriptionAuthorStrings
            0.2.5GPueTFF2S.exe.a3f900.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.3.5GPueTFF2S.exe.b070000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                0.3.5GPueTFF2S.exe.a3f900.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  0.2.5GPueTFF2S.exe.b070000.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    0.3.5GPueTFF2S.exe.b070000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 8 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exeAvira URL Cloud: Label: malware
                      Source: C:\ProgramData\75873290272674793137.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exeReversingLabs: Detection: 35%
                      Source: 5GPueTFF2S.exeJoe Sandbox ML: detected
                      Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["http://135.181.10.220:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
                      Source: 18.2.gntuud.exe.a0000.0.unpackMalware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

                      Compliance

                      bar