Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
v6DLIositV.exe

Overview

General Information

Sample Name:v6DLIositV.exe
Original Sample Name:2023-02-17_9de48e7cfc2bc56631387e527f859efd_cryptolocker.exe
Analysis ID:810502
MD5:9de48e7cfc2bc56631387e527f859efd
SHA1:959b863e84103132f89a10a7fd6981771881f763
SHA256:215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4
Tags:exe
Infos:

Detection

Upatre
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Upatre
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Drops PE files
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • v6DLIositV.exe (PID: 2952 cmdline: C:\Users\user\Desktop\v6DLIositV.exe MD5: 9DE48E7CFC2BC56631387E527F859EFD)
    • hurok.exe (PID: 5104 cmdline: "C:\Users\user\AppData\Local\Temp\hurok.exe" MD5: 9313C9760ABEE035167EC3A7CC743EB2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
UpatreUpatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.upatre
{"C2 urls": "gemlttwi.com/tech/2mr.exe"}
SourceRuleDescriptionAuthorStrings
00000000.00000003.303571500.00000000005B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UpatreYara detected UpatreJoe Security
    00000000.00000002.306318619.0000000000401000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_UpatreYara detected UpatreJoe Security
      00000001.00000003.305686991.0000000002060000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UpatreYara detected UpatreJoe Security
        00000001.00000002.314199017.0000000000401000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_UpatreYara detected UpatreJoe Security
          SourceRuleDescriptionAuthorStrings
          0.2.v6DLIositV.exe.400000.0.unpackJoeSecurity_UpatreYara detected UpatreJoe Security
            0.3.v6DLIositV.exe.5b08e7.0.raw.unpackJoeSecurity_UpatreYara detected UpatreJoe Security
              1.3.hurok.exe.20608e7.0.raw.unpackJoeSecurity_UpatreYara detected UpatreJoe Security
                1.2.hurok.exe.400000.0.unpackJoeSecurity_UpatreYara detected UpatreJoe Security
                  No Sigma rule has matched
                  Timestamp:192.168.2.4192.185.35.56496964432017726 02/17/23-06:19:57.094300
                  SID:2017726
                  Source Port:49696
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: v6DLIositV.exeAvira: detected
                  Source: v6DLIositV.exeVirustotal: Detection: 85%Perma Link
                  Source: gemlttwi.com/tech/2mr.exeAvira URL Cloud: Label: malware
                  Source: https://gemlttwi.com/tech/2mr.exeAvira URL Cloud: Label: malware
                  Source: C:\Users\user\AppData\Local\Temp\hurok.exeAvira: detection malicious, Label: TR/Agent.AGY.4
                  Source: C:\Users\user\AppData\Local\Temp\hurok.exeJoe Sandbox ML: detected
                  Source: v6DLIositV.exeJoe Sandbox ML: detected
                  Source: 1.0.hurok.exe.400000.0.unpackAvira: Label: TR/Agent.AGY.4
                  Source: 0.2.v6DLIositV.exe.21c45b8.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.0.v6DLIositV.exe.400000.0.unpackAvira: Label: TR/Agent.AGY.4
                  Source: 1.2.hurok.exe.21845b8.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 1.2.hurok.exe.400000.0.unpackMalware Configuration Extractor: Upatre {"C2 urls": "gemlttwi.com/tech/2mr.exe"}

                  Compliance

                  barindex
                  Source: C:\Users\user\Desktop\v6DLIositV.exeUnpacked PE file: 0.2.v6DLIositV.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\hurok.exeUnpacked PE file: 1.2.hurok.exe.400000.0.unpack
                  Source: v6DLIositV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 192.185.35.56:443 -> 192.168.2.4:49696 version: TLS 1.2

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2017726 ET TROJAN Downloader (P2P Zeus dropper UA) 192.168.2.4:49696 -> 192.185.35.56:443
                  Source: Malware configuration extractorURLs: gemlttwi.com/tech/2mr.exe
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Feb 2023 05:19:57 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://gemlttwi.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingX-Endurance-Cache-Level: 2X-nginx-cache: WordPressTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
                  Source: Amcache.hve.1.drString found in binary or memory: http://upx.sf.net
                  Source: unknownDNS traffic detected: queries for: gemlttwi.com
                  Source: C:\Users\user\Desktop\v6DLIositV.exeCode function: 0_2_00401020 EntryPoint,GetModuleHandleW,ExitProcess,HeapCreate,HeapAlloc,RtlAllocateHeap,HeapAlloc,GetModuleFileNameW,GetTempPathW,wsprintfW,CreateFileW,GetFileSize,lstrlenW,lstrlenW,RtlAllocateHeap,ReadFile,lstrcmpW,lstrlenW,EntryPoint,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,GetTempPathW,ShellExecuteW,CloseHandle,DeleteFileW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,HeapAlloc,InternetReadFile,CreateFileW,WriteFile,CloseHandle,GetCurrentDirectoryW,wsprintfW,0_2_00401020
                  Source: global trafficHTTP traffic detected: GET /tech/2mr.exe HTTP/1.1Accept: text/*, application/*User-Agent: Updates downloaderHost: gemlttwi.comCache-Control: no-cache
                  Source: unknownHTTPS traffic detected: 192.185.35.56:443 -> 192.168.2.4:49696 version: TLS 1.2