Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HHGHJJUILn.exe

Overview

General Information

Sample Name:HHGHJJUILn.exe
Analysis ID:764040
MD5:103f2ca898f5c7285a3651f23d926218
SHA1:aded75bc932ddb0c9b17f257f82a5be822cab8e6
SHA256:10633d83edea2308a01d9bcbd507737bf66e93550be49239cd801257f79c7d37
Tags:exe
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkCloud
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Writes to foreign memory regions
Detected potential unwanted application
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Drops PE files to the user root directory
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Drops PE files to the user directory
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • HHGHJJUILn.exe (PID: 5460 cmdline: C:\Users\user\Desktop\HHGHJJUILn.exe MD5: 103F2CA898F5C7285A3651F23D926218)
    • vbc.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5132 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 4772 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      Process Memory Space: HHGHJJUILn.exe PID: 5460SUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x212b6:$s2: AAAAAAAAAAoVT
      • 0x19769f:$s2: AAAAAAAAAAoVT
      • 0x2af0d0:$s2: AAAAAAAAAAoVT
      Process Memory Space: HHGHJJUILn.exe PID: 5460JoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        Process Memory Space: vbc.exe PID: 4772JoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.HHGHJJUILn.exe.252d0175a70.4.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
            0.2.HHGHJJUILn.exe.252d0175a70.4.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
            • 0x2f958:$s1: Temporary Directory * for
            • 0x2f994:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
            • 0x31b98:$s6: Content-Disposition: form-data; name="document"; filename="
            • 0x2f940:$s7: CopyHere
            • 0x2f8fc:$s9: Shell.Application
            • 0x2fca0:$s9: shell.application
            • 0x31d0c:$s10: SetRequestHeader
            • 0x2fa3c:$s12: @TITLE Removing
            • 0x2fa74:$s13: @RD /S /Q "
            0.2.HHGHJJUILn.exe.252d012dbe0.3.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              0.2.HHGHJJUILn.exe.252d012dbe0.3.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
              • 0x77b0:$s1: Temporary Directory * for
              • 0x77ec:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
              • 0x99f0:$s6: Content-Disposition: form-data; name="document"; filename="
              • 0x7798:$s7: CopyHere
              • 0x7754:$s9: Shell.Application
              • 0x7af8:$s9: shell.application
              • 0x9b64:$s10: SetRequestHeader
              • 0x7894:$s12: @TITLE Removing
              • 0x78cc:$s13: @RD /S /Q "
              4.0.vbc.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Machine Learning detection for sample
                Source: HHGHJJUILn.exeJoe Sandbox ML: detected
                Source: 4.3.vbc.exe.502d8d0.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpackAvira: Label: TR/Dropper.Gen
                Source: 4.0.vbc.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                Source: 4.2.vbc.exe.502d8d0.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: HHGHJJUILn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe
                Source: Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr
                Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp

                Networking

                barindex
                May check the online IP address of the machine
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDNS query: name: showip.net
                Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: HHGHJJUILn.exeString found in b