Edit tour
Windows
Analysis Report
3ZCSmfAvnf.exe
Overview
General Information
| Sample Name: | 3ZCSmfAvnf.exe |
| Analysis ID: | 786965 |
| MD5: | c7fbe52e88456eabb4d4a1a1a0670cf4 |
| SHA1: | 3b479f15645c31c7067c31aede6e1802093ac78b |
| SHA256: | 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746 |
| Tags: | 32exe |
| Infos: |   |
 | |
Detection
AsyncRAT, StormKitty
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Sigma detected: Capture Wi-Fi password
Antivirus detection for URL or domain
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Telegram Recon
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Antivirus / Scanner detection for submitted sample
Yara detected StormKitty Stealer
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
May check the online IP address of the machine
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Connects to a pastebin service (likely for C&C)
Found many strings related to Crypto-Wallets (likely being stolen)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to log keystrokes (.Net Source)
Tries to harvest and steal WLAN passwords
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Yara detected Credential Stealer
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
3ZCSmfAvnf.exe (PID: 4560 cmdline: C:\Users\u ser\Deskto p\3ZCSmfAv nf.exe MD5: C7FBE52E88456EABB4D4A1A1A0670CF4) - WindowsDataC.exe (PID: 2444 cmdline:
"C:\Progra mData\Wind owsDataC.e xe" MD5: C7FBE52E88456EABB4D4A1A1A0670CF4) - RunIt.exe (PID: 3100 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\RunIt. exe" MD5: D067619856F7F3079375960F62B99369) - wwst.exe (PID: 4816 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\wwst.e xe" MD5: 5224B9398F4ED7A52B85B432B3D50A04) 
cmd.exe (PID: 4192 cmdline: "cmd.exe" /C chcp 65 001 && net sh wlan sh ow profile | findstr All MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chcp.com (PID: 1416 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) - netsh.exe (PID: 1524 cmdline:
netsh wlan show prof ile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - findstr.exe (PID: 1972 cmdline:
findstr Al l MD5: 8B534A7FC0630DE41BB1F98C882C19EC) - cmd.exe (PID: 1784 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow network s mode=bss id MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chcp.com (PID: 6012 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) - netsh.exe (PID: 4136 cmdline:
netsh wlan show netw orks mode= bssid MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
- WindowsDataC.exe (PID: 1604 cmdline:
"C:\Progra mData\Wind owsDataC.e xe" MD5: C7FBE52E88456EABB4D4A1A1A0670CF4)
- WindowsDataC.exe (PID: 5964 cmdline:
"C:\Progra mData\Wind owsDataC.e xe" MD5: C7FBE52E88456EABB4D4A1A1A0670CF4)
- Rnts.exe (PID: 5424 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Rnts.e xe" MD5: D067619856F7F3079375960F62B99369)
- Rnts.exe (PID: 1636 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Rnts.e xe" MD5: D067619856F7F3079375960F62B99369)
- cleanup
{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage?chat_id=806259874", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}{"C2 url": "https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 6 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
| Click to see the 56 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Click to see the 44 entries | ||||
Stealing of Sensitive Information |   |
|---|
| Source: | Author: Joe Security: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||