Edit tour
Windows
Analysis Report
tZvjMg3Hw9.exe
Overview
General Information
Sample name: | tZvjMg3Hw9.exerenamed because original name is a hash value |
Original sample name: | fbb5534d3c24553179a13cc7b9c38685.exe |
Analysis ID: | 1434850 |
MD5: | fbb5534d3c24553179a13cc7b9c38685 |
SHA1: | 4f14d7dc5d966672abd4700b054307e096b88b48 |
SHA256: | a1c687574b512e60c254447937836a11aca2ef11a928cf28c5e9e9138f7ce934 |
Tags: | 64exePrivateLoadertrojan |
Infos: | |
Detection
PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Vidar stealer
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Windows Defender Exclusions Added - Registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- tZvjMg3Hw9.exe (PID: 2876 cmdline:
"C:\Users\ user\Deskt op\tZvjMg3 Hw9.exe" MD5: FBB5534D3C24553179A13CC7B9C38685) - lrPP7Py6j59vWWqs5P8cBSO1.exe (PID: 5768 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\lrPP 7Py6j59vWW qs5P8cBSO1 .exe MD5: 23A62B359F3A8AC9C4432982612685F2) - pnUE3Ri3AJFo6xuNgBEk3Rs_.exe (PID: 5084 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\pnUE 3Ri3AJFo6x uNgBEk3Rs_ .exe MD5: 43B8B44CC90AA0B9513702A26402225B) - c7pGL4_L_P3yOlPkhT4UG9k1.exe (PID: 5816 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\c7pG L4_L_P3yOl PkhT4UG9k1 .exe MD5: B091C4848287BE6601D720997394D453) - powercfg.exe (PID: 6820 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 6828 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 6376 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 5028 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - ZzA4CiLYTNO5oC4gZR_wrNaZ.exe (PID: 6512 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ZzA4 CiLYTNO5oC 4gZR_wrNaZ .exe MD5: 5E26F758424A931E10F47DF3A5BD657B) - RegAsm.exe (PID: 1772 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5680 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5668 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6824 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6132 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - cWSgbiiWuHkrGD6e9Bvvb03z.exe (PID: 1240 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\cWSg biiWuHkrGD 6e9Bvvb03z .exe MD5: 0663ACC77B47A56BBE20976B47BADAD9) - MSBuild.exe (PID: 7064 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MsBu ild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - conhost.exe (PID: 1988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 1sMfNqnOFjTOadWc0yClvu5P.exe (PID: 2724 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\1sMf NqnOFjTOad Wc0yClvu5P .exe MD5: 456A86D30C8506883A00BBAFC9AB9EC3) - RegAsm.exe (PID: 6676 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6160 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - WerFault.exe (PID: 3648 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 724 -s 316 MD5: C31336C1EFC2CCB44B4326EA793040F2) - tDrDIT3EJ93dpzmmxTIMr4ah.exe (PID: 2136 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\tDrD IT3EJ93dpz mmxTIMr4ah .exe MD5: F500AF69B3EFC5708420C2C024250D4D) - gEsYklrF8leHWug4608tQIe6.exe (PID: 2132 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\gEsY klrF8leHWu g4608tQIe6 .exe MD5: 9B26DF7B01C8A4EF9A52E0290969CA02) - Install.exe (PID: 3292 cmdline:
.\Install. exe MD5: 608AA9E16028E3532A0AB062791F55BA) - vLezrpzeJwHmxmMpZ0dBr09m.exe (PID: 4372 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\vLez rpzeJwHmxm MpZ0dBr09m .exe MD5: B544AE108C0ED5DD50E71D222EA2758C) - _MpzZq9udo_WMns6EY9VnO9e.exe (PID: 2804 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\_Mpz Zq9udo_WMn s6EY9VnO9e .exe MD5: 143C2A0EDCEBEF4D3B44EDF92F301367) - smXaUwB1apxcy5uQ1QhDrzwt.exe (PID: 5532 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\smXa UwB1apxcy5 uQ1QhDrzwt .exe MD5: 8A5AC55FCE35D8A033DED9E56940152A) - FXnrFSfIY3onUvtSB3cuKesF.exe (PID: 1864 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\FXnr FSfIY3onUv tSB3cuKesF .exe MD5: 390C7E4868800A8C55CE5A995A65384B) - FXnrFSfIY3onUvtSB3cuKesF.tmp (PID: 3620 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-RS8 8H.tmp\FXn rFSfIY3onU vtSB3cuKes F.tmp" /SL 5="$A0070, 4844569,54 272,C:\Use rs\user\Do cuments\Si mpleAdobe\ FXnrFSfIY3 onUvtSB3cu KesF.exe" MD5: CA156553BC853FE4487A75E7E0746810) - ijWSnAA5feFcALhcRIb98yTf.exe (PID: 2448 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ijWS nAA5feFcAL hcRIb98yTf .exe MD5: B262DCFBA77DD333A3118EA3FAD9E261) - 9AzlS7F3tYa6PD9PpLcR316P.exe (PID: 6092 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\9Azl S7F3tYa6PD 9PpLcR316P .exe MD5: D15459E9B9D12244A57809BC383B2757) - TrIR3OjzF5zT6wur9yJ59R0V.exe (PID: 6968 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\TrIR 3OjzF5zT6w ur9yJ59R0V .exe MD5: 50C2351D515F9EA10496E4E33401BD2F) - N_fzNzObxT0UJ9JQqz4nPKUC.exe (PID: 7136 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\N_fz NzObxT0UJ9 JQqz4nPKUC .exe MD5: 34B3E9F4D9A361CE02C10E64D80EAB4F)
- svchost.exe (PID: 5508 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6772 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 4980 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6628 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 6496 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 436 -p 27 24 -ip 272 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
{"C2 url": ["5.42.65.96:28380"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation | Detects executables containing potential Windows Defender anti-emulation checks | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 21 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation | Detects executables containing potential Windows Defender anti-emulation checks | ditekSHen |
| |
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
Click to see the 22 entries |
Change of critical system settings |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: vburov: |
Timestamp: | 05/01/24-20:26:11.832750 |
SID: | 2049837 |
Source Port: | 49710 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Change of critical system settings |
---|
Source: | Registry key created or modified: | Jump to behavior | ||
Source: | Registry key created or modified: | Jump to behavior | ||
Source: | Registry key created or modified: | |||
Source: | Registry key created or modified: |
Source: | Code function: | 10_2_00CF46C6 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: |
Source: | TCP traffic: |
Source: | File created: | ||
Source: | File created: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: |