Windows
Analysis Report
file.exe
Overview
General Information
Detection
Djvu, Fabookie, RHADAMANTHYS, RedLine, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Yara detected Fabookie
Yara detected RHADAMANTHYS Stealer
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal Bitcoin Wallet information
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Detected VMProtect packer
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Classification
- System is w10x64
file.exe (PID: 5600 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 6C8510622324DBE7E235200226D2474F) explorer.exe (PID: 3528 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) 7F44.exe (PID: 6088 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7F44.ex e MD5: E487D267FA5FD81A444B487A4F643C6F) rundll32.exe (PID: 2148 cmdline:
"C:\Users \user\AppD ata\Roamin g\nsis_uns 5fec27.dll ",PrintUIE ntry |5CQk OhmAAAA|1T Kr5GsMwYD| 67sDqg8OAA l|xYmwxC0T NSO|1k8B3t Zkgiyf2sAZ QByAG4XAP9 sADMAMgAuA KVkHwBs8|A tBQPz8Ff7A GcnAHUAcwB C|wBBAEUAZ gA0PwBGADE ANU8ALQH|W UiD7CjoBAL |AABIg8Qow 8z|zMxMiUQ kGEj|iVQkE EiJTCT9CF0 BSItEJDBIt 4kEJIEBOEh vAAjfSMdEJ BAtAesOvoE BEEiDwAGPA RBugQFASDm WAHMlnwP|i wwkSAPISIu vwUiLTKsBV HsAA||RSIv KigmICPvrw WYFZUiLBCX 9YPPwM8lIi 1AY|0g70XQ 2SIPC|yBIi wJIO8J0|yp mg3hIGHUa| 0yLQFBmQYM 4d2t0BxERS 3UIERD|eBA udAVIiwBf6 9VIi0j9AMF qAP9AU1VWV 0FUQd9VQVZ BV10BZoH|O U1aTYv4TIt |8kiL2Q+F| PPw|0xjSTx BgTwJf1BFA AAPherz8N9 Bi4QJiPPwh cB|SI08AQ+ E1moR74O8C YwtAQ+Ex|7 z8ESLZyBEi 1||HIt3JES LTxj|TAPhT APZSAP|8TP JRYXJD4T9p PPwTYvEQYs Q|0Uz0kgD0 4oC|4TAdB1 BwcoN9w++w PoAAUQD0P6 |EXXsQYH6q vz|DXx0DoP BAUn|g8AEQ TvJc2n|68a LwQ+3DE7|R Yssi0wD63T 3WDPtqhB0U UGL|RTBANM zyYoCTL+Lw usPwcnIEQO 9yOUQAUGKA NUQ7f8zwDP 2QTsMtvzgE KYAg8YBg|g I|3Lu6wpIi 8tB|||VSYk E94PF|uQQx AQ7bxhyr|5 mAUFfQV5BX UHfXF9eXVs zF0iB9+xgA WQAi+noZv| +||9IhcAPh K2YdSBMja8 BiysQyO8z| +ibfSCNXwT |TI1FRjPSi 8vv|1QkaIA gTIvg1w+Ea 3UgRagQM8D 7i9ORIEiJf CQg+qYgcIA gSIvwD4T5S 3UgpiBQSI1 WCP9EjUdAS I2MJH6FEUi L2Oh8|X4gV 41WSN4gEOI hzPPw++hn7 yBEiwaNV+k IQSCmIFjKI YmEJLWAhxL e8|CLDtogW MeJjCRxEQc wkSDoMfbvI IucLTJMi10 630iD+2xIi iAwTH+JZCQ 4TIukGjJ3T IlchAGEJNy HEduGko0Rj UdLMIwk|fD z8EmL1Ojp| HYFMIqceDJ IjYR4Mv9Bg PMhjU9sRPs wGKQCg+kBd fP7gbx4MiF SZXh1302Lh CT0IjGUJP3 4NQHCSDvYc jj|g|psdjN EjUk9QPoAl EG4AJgApiA 9QMoi+HQZR LYwwDHfSY1 UJGyRIEmD7 +hs6GuCMEi Lzv6mIHhIh f90EovnVUJ MjjAbMUiNT H8kQP|XSIH EdCEAYSQtC C0B MD5: 73C519F050C20580F8A62C849D49215A) WerFault.exe (PID: 5100 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 148 -s 536 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) 7194.exe (PID: 6136 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7194.ex e MD5: 54EF40032C240E98FA4E1BB642E3EF21) 7194.exe (PID: 3788 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7194.ex e MD5: 54EF40032C240E98FA4E1BB642E3EF21) E171.exe (PID: 5344 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\E171.ex e MD5: 27CEA335A18BF5E4125FF21D35855C10) CE81.exe (PID: 5424 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\CE81.ex e MD5: 5B11DEFEA0441CEFDA0B917752E7118C) 3C99.exe (PID: 5420 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\3C99.ex e MD5: 5F5DD6F3A3ACFB85488650F5F566D6F3) 2F18.exe (PID: 5456 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2F18.ex e MD5: 5F5DD6F3A3ACFB85488650F5F566D6F3) 9531.exe (PID: 5512 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\9531.ex e MD5: 9A588B8F7D2967B240A5FC32DA40605F) MSBuild.exe (PID: 5736 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MSBu ild.exe MD5: D621FD77BD585874F9686D3A76462EF1) MSBuild.exe (PID: 5976 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MSBu ild.exe MD5: D621FD77BD585874F9686D3A76462EF1) MSBuild.exe (PID: 5960 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MSBu ild.exe MD5: D621FD77BD585874F9686D3A76462EF1) 833B.exe (PID: 4132 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\833B.ex e MD5: 9A588B8F7D2967B240A5FC32DA40605F) MSBuild.exe (PID: 6068 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MSBu ild.exe MD5: D621FD77BD585874F9686D3A76462EF1) 83C6.exe (PID: 5292 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\83C6.ex e MD5: F6CD417B223890CF499C112918E87325) F781.exe (PID: 5280 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\F781.ex e MD5: 8A89555F2E15DA1C59AFBACC70F7C8FC)
irddegt (PID: 6112 cmdline:
C:\Users\u ser\AppDat a\Roaming\ irddegt MD5: 6C8510622324DBE7E235200226D2474F)
juddegt (PID: 6060 cmdline:
C:\Users\u ser\AppDat a\Roaming\ juddegt MD5: 27CEA335A18BF5E4125FF21D35855C10)
- cleanup
{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://spaceris.com/files/1/build3.exe"], "C2 url": "http://spaceris.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-GTrvfBi8hs\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0634JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNHTd6OSWQTtTgt8H8Fa\\\\nAgjAgtiOalOEtMWyJApWZ69VY\\/N5xZl9105guXNlO6ye3oZm+\\/s8EDcPjYHCZXro\\\\nboS3Z82uQKqOxp16wWM5Bvz0B92LauLyVux57wkOkASBvCGIi1riCb9vQ6Jw7ecH\\\\nMzpq3BnvJpCvr2jFsZAwczhsiVhZhPxl2yGr+pKXF6V1OhQqHVAfZ3Gaz5ALhGLz\\\\n6SVW\\/HcocSTYzChNquJGEvW1AVp0APXHncBLg57H3zKt3h48q8ruvpRIXW2r29hM\\\\nhRtLvyN3talq8DWB8FHT2wgoPsA73EUEIO\\/TFtzm\\/fA62DBn0oR6q989c5wo5qwF\\\\nGQIDAQAB\\\\n-----END PUBLIC KEY-----"}
{"C2 url": "82.115.223.9:15486", "Bot Id": "TestedPotikUodated", "Authorization Header": "85a219bdf260de0a4b8a6127147534fe"}
{"C2 list": ["http://channelpi.com/tmp/", "http://mordo.ru/tmp/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Fabookie | Yara detected Fabookie | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Click to see the 46 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
Click to see the 39 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |