Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
AsyncRAT, StormKitty, WorldWind Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram Recon
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected Telegram RAT
Antivirus / Scanner detection for submitted sample
Yara detected StormKitty Stealer
Antivirus detection for URL or domain
Yara detected WorldWind Stealer
Yara detected AsyncRAT
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Uses the Telegram API (likely for C&C communication)
Tries to harvest and steal WLAN passwords
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- file.exe (PID: 5740 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: C03A7CEDC3314E6F0DC26431503DD035) - cmd.exe (PID: 7128 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow profile | findstr All MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 7136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chcp.com (PID: 812 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) - netsh.exe (PID: 3872 cmdline:
netsh wlan show prof ile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - findstr.exe (PID: 1424 cmdline:
findstr Al l MD5: 8B534A7FC0630DE41BB1F98C882C19EC) - cmd.exe (PID: 2752 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow network s mode=bss id MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chcp.com (PID: 5928 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) - netsh.exe (PID: 5916 cmdline:
netsh wlan show netw orks mode= bssid MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cameleon, StormKitty | PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands. | No Attribution |
{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot6154715708:AAFzLcpt7CU7GhHYDqN7AZi1rev_GZv5Qe4/sendMessage?chat_id=1165040754", "Version": "", "AES_key": "4qsKtpuqPkY57c6vW77AyPmuPai9cZ4h", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "kKsugsQu3eo73x+SF5NyNjFkKDoXYn4ibGkrv9d0mkNnkKX+Xs41dOvJxwMgSJjBJAXj+kNdHADhM/iRYmcGc/NxyqBwsaC5K/dYnwy2d0Ql9//q5zMO7YVpgN61hVy0b2dt1IWghvqeKizPfiHDIfvkrxBpdjwYWygmjx9iN8JKRpmULW8AoVx5k7uaSUgaJDjALDI95VCmGJj4aN7IcYpgKR7F735u3zuLyxhSB/T0rlwa6Q1uWmhi6PDVAJAknWxbZJ0UpgeZL8ATQ9pyhbvrRO9hCMPsZs6zqfG1+puICezW6w7hg9qYVow1+at019AO6DMG8zJqefgF9GOCvc6kpUtbexucO8kXKrznL0U3dd6WjF7dXA2dokbFCLdeyfg6GQ8MEll6kOsJhWZSpZXGhMOfsflOdm1Ksw6RtA/3/KYxFePq5WddQ3TLf3bsWi+cD7cDlFcqfKoUrYZ/ndHwQQKvpUlvYm4SEiK3/haqxHO829zmaG3rIot/vlWFX+5YwfQPnDNQz3uR+CsGPDbArZd+7EkdQoCDxBVsUF5gv0IaNvTH9yMloFidO9YNY6us2DEHJTqoHZ174gAbISlVsA3kqmU57mmKbbVbMtv4W0k5sfJjHqjcLElY2q++S80yA2JhU5EUGvYOK95r37xzEXuITa92/4UqIGNLMM4=", "Group": "Default"}
{"C2 url": "https://api.telegram.org/bot6154715708:AAFzLcpt7CU7GhHYDqN7AZi1rev_GZv5Qe4/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 3918, "from": {"id": 6154715708, "is_bot": true, "first_name": "oRG", "username": "XChannX_bot"}, "chat": {"id": 1165040754, "first_name": "\u0196\u1ee9\u010d\u1ecb\u1e1f\u0454\u04f7", "last_name": "\uff7f\u012f\u028d\u1e4d\u1e5d\u1e45\u0268\u1e45\u0262\u0455\u1e6f\u1ea3\u1e5d", "username": "Lucifer7005", "type": "private"}, "date": 1687548098, "text": "\ud83d\udcc1 Uploading Log Folders..."}}]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WorldWindStealer | Yara detected WorldWind Stealer | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WorldWindStealer | Yara detected WorldWind Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WorldWindStealer | Yara detected WorldWind Stealer | Joe Security | ||
JoeSecurity_WorldWindStealer | Yara detected WorldWind Stealer | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
Click to see the 15 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WorldWindStealer | Yara detected WorldWind Stealer | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
Click to see the 6 entries |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |