Loading ...

Analysis Report 8UT1RfjZ0z.exe

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:61769
Start date:09.10.2018
Start time:20:05:40
Joe Sandbox Product:Cloud
Overall analysis duration:0h 16m 41s
Hypervisor based Inspection enabled:true
Report type:full
Sample file name:8UT1RfjZ0z.exe
Cookbook file name:default.jbs
Analysis system description:W7x64 Native with HVM (patch level Feb 2018, Office 2016, Java 1.8.0_161, Flash 28, Acrobat Reader DC 18, Internet Explorer 11, Chrome 64, Firefox 58)
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.bank.evad.winEXE@1/1@219/4
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 92%
  • Number of executed functions: 69
  • Number of non-executed functions: 138
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): LMS.exe, IntelMeFWService.exe, sppsvc.exe, devmonsrv.exe, WMIADAP.exe, mediasrv.exe, obexsrv.exe, mscorsvw.exe, jhi_service.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041A4F0 GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_0041A4F0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0040E5B0 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_0040E5B0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00419C40 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,wsprintfW,FindFirstFileW,StrCpyW,StrCatW,wsprintfW,FindNextFileW,FindClose,ExpandEnvironmentStringsW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00419C40
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00403590 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00403590

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pin.kmsconsultantsllc.com
Urls found in memory or binary dataShow sources
Source: 8UT1RfjZ0z.exe, 00000000.00000002.794851528.0000000002943000.00000004.sdmpString found in binary or memory: https://pin.kmsconsultantsllc.com:80/rpersist4/1958300021
Source: 8UT1RfjZ0z.exe, 00000000.00000002.792580964.000000000207C000.00000004.sdmpString found in binary or memory: https://pixmania.biz:80/
Source: 8UT1RfjZ0z.exe, 00000000.00000002.794804211.000000000291C000.00000004.sdmp, 8UT1RfjZ0z.exe, 00000000.00000002.794851528.0000000002943000.00000004.sdmpString found in binary or memory: https://pixmania.biz:80/rpersist4/1958300021
Source: 8UT1RfjZ0z.exe, 00000000.00000002.794784118.0000000002910000.00000004.sdmpString found in binary or memory: https://pizzza-la.com:80/
Source: 8UT1RfjZ0z.exe, 00000000.00000002.794804211.000000000291C000.00000004.sdmp, 8UT1RfjZ0z.exe, 00000000.00000002.794851528.0000000002943000.00000004.sdmpString found in binary or memory: https://pizzza-la.com:80/rbody320
Source: 8UT1RfjZ0z.exe, 00000000.00000002.792580964.000000000207C000.00000004.sdmpString found in binary or memory: https://stormsfronts.com:80/

E-Banking Fraud:

barindex
Detected Gootkit banking trojanShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,GetNativeSystemInfo,GetSystemInfo,RegOpenKeyW,RegQueryValueExW,StrStrIW,Sleep,RegCloseKey,Sleep,0_2_0040DD20

System Summary:

barindex
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeMemory allocated: 76EC0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeMemory allocated: 76DC0000 page execute and read and writeJump to behavior
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00415620 LoadLibraryA,GetProcAddress,NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,VirtualFree,VirtualFree,0_2_00415620
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00408EC0 OpenProcess,ProcessIdToSessionId,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,OpenProcessToken,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,0_2_00408EC0
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041AF10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,0_2_0041AF10
Creates mutexesShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeMutant created: \Sessions\1\BaseNamedObjects\ServiceEntryPointThread
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00404E600_2_00404E60
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041A4F00_2_0041A4F0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0040EB000_2_0040EB00
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00415FE00_2_00415FE0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00408EC00_2_00408EC0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_004106C00_2_004106C0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_004124A00_2_004124A0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_004099B00_2_004099B0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_004334C70_2_004334C7
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00433D6E0_2_00433D6E
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0043417A0_2_0043417A
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0043399A0_2_0043399A
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0043459A0_2_0043459A
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0042D1A20_2_0042D1A2
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_004334C70_1_004334C7
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0042D1A20_1_0042D1A2
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_00430BAF0_1_00430BAF
PE file contains strange resourcesShow sources
Source: 8UT1RfjZ0z.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 8UT1RfjZ0z.exe, 00000000.00000002.796382376.0000000003880000.00000008.sdmpBinary or memory string: OriginalFilenameKernelbasej% vs 8UT1RfjZ0z.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFile read: C:\Users\user\Desktop\8UT1RfjZ0z.exeJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal84.bank.evad.winEXE@1/1@219/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041AF10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,0_2_0041AF10
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_004047B0 LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_004047B0
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0040D500 CoInitialize,CoCreateInstance,StrStrIW,StrStrIW,StrStrIW,StrCpyNW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoUninitialize,0_2_0040D500
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFile created: C:\Users\user\Desktop\8UT1RfjZ0z.infJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 8UT1RfjZ0z.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
PE file contains a valid data directory to section mappingShow sources
Source: 8UT1RfjZ0z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8UT1RfjZ0z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8UT1RfjZ0z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8UT1RfjZ0z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8UT1RfjZ0z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041B060 LoadLibraryA,GetProcAddress,SystemFunction036,0_2_0041B060
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041FC3A push 00000002h; iretd 0_2_0041FC68
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00420ACE push esp; ret 0_2_00420AD0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041F08E push 65582770h; iretd 0_2_0041F0B8
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041FB57 push 00000041h; iretd 0_2_0041FB59
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041F3E2 push edi; retf 0_2_0041F3E3
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0040203D push eax; ret 0_1_00402072
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0040714A push eax; ret 0_1_004071D9
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_00401D4F push eax; iretd 0_1_00401D7E
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_00429509 push ecx; ret 0_1_0042951C
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0040710D push eax; retf 0_1_0040710E
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_00401D1E push eax; iretd 0_1_00401D7E
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0040D31B push eax; retf 0_1_0040D354
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_00405FDF push eax; retf 0_1_00405FF0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0040339F push esp; retf 0_1_004033A0

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_002302B2 RtlExitUserThread,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002302B2
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks if the current machine is a sandbox (computer name check)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetComputerName, String check: SANDBOX
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetComputerName, String check: SANDBOX
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetComputerName, String check: SANDBOX
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetComputerName, String check: SANDBOX
Checks if the current machine is a sandbox (user name check)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetUserName, String check: CurrentUser
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetUserName, String check: CurrentUser
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetUserName, String check: CurrentUser
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: GetUserName, String check: CurrentUser
Checks if the current machine is a virtual machine (via SystemBiosVersion)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System SystemBiosVersion String check: AMI
Checks if the current machine is a virtual machine (via VideoBiosVersion)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System VideoBiosVersion String check: VirtualBox
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System VideoBiosVersion String check: VirtualBox
Checks if the machine has a Xeon CPU (likely to evade sandboxes)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString String check: Xeon
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString String check: Xeon
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString String check: Xeon
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeFunction Chain: Key Value Queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString String check: Xeon
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetModuleHandleA,GetModuleHandleA,GetUserNameA,lstrcmpA,lstrcmpA,GetComputerNameA,lstrcmpA,lstrcmpA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,0_2_00404E60
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: EntryPoint,SetErrorMode,SetErrorMode,LoadLibraryA,GetProcAddress,GetCommandLineW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,StrStrIW,ExitProcess,StrStrIW,GetCurrentProcess,GetVersion,GetProcessHeap,HeapFree,ExitProcess,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExitProcess,CreateThread,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,Sleep,0_2_00415FE0
Contains functionality to detect sandboxes (checksum based sample name check)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00404B80 PathFindFileNameW,0_2_00404B80
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-11752
Tries to detect Sandboxie (via GetModuleHandle check)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeModule handle queried: sbiedll.dllJump to behavior
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 539485Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 539485Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 494360Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 517719Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 494360Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 262154Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 517719Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 402700Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 539485Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 624507Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 623390Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 473701Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 413504Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 423282Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 304937Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 183540Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 576643Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeWindow / User API: threadDelayed 2107Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-12024
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-12328
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4048Thread sleep time: -70000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -600000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4044Thread sleep count: 2107 > 30Jump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4044Thread sleep time: -126420000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -539485s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4032Thread sleep time: -539485s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -494360s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -517719s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4032Thread sleep time: -1483080s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -262154s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4032Thread sleep time: -1035438s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -153377s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -402700s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4032Thread sleep time: -539485s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -624507s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -623390s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -473701s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -413504s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -70495s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -423282s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4032Thread sleep time: -153377s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -304937s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -183540s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -576643s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4036Thread sleep time: -170182s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exe TID: 4012Thread sleep time: -922337203685477s >= -60000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041A4F0 GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_0041A4F0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0040E5B0 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_0040E5B0
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00419C40 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,wsprintfW,FindFirstFileW,StrCpyW,StrCatW,wsprintfW,FindNextFileW,FindClose,ExpandEnvironmentStringsW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00419C40
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00403590 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00403590
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0040DD20 GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,GetNativeSystemInfo,GetSystemInfo,RegOpenKeyW,RegQueryValueExW,StrStrIW,Sleep,RegCloseKey,Sleep,0_2_0040DD20
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 8UT1RfjZ0z.exe, 00000000.00000002.794851528.0000000002943000.00000004.sdmp, 8UT1RfjZ0z.inf.0.drBinary or memory string: [yaimujrpziogbwqemuywxocvawnpyymgcrbqpypanqhkiobylfhya]
Source: 8UT1RfjZ0z.exe, 00000000.00000002.794851528.0000000002943000.00000004.sdmp, 8UT1RfjZ0z.inf.0.drBinary or memory string: RunPreSetupCommands = yaimujrpziogbwqemuywxocvawnpyymgcrbqpypanqhkiobylfhya:2
Source: 8UT1RfjZ0z.inf.0.drBinary or memory string: RunPreSetupCommands = cileucmtoslylervmcixdihqdytfsevseapytofvj:2
Source: 8UT1RfjZ0z.inf.0.drBinary or memory string: [cileucmtoslylervmcixdihqdytfsevseapytofvj]
Program exit pointsShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeAPI call chain: ExitProcess graph end nodegraph_0-11776
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0042DBBB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042DBBB
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0041B060 LoadLibraryA,GetProcAddress,SystemFunction036,0_2_0041B060
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_002304C1 mov eax, dword ptr fs:[00000030h]0_2_002304C1
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00406E70 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00406E70
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0042DE56 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042DE56
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0042DBBB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042DBBB
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_00429943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_00429943
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_1_0042DBBB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_0042DBBB

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00411960 _chkstk,RegGetKeySecurity,InitializeSecurityDescriptor,GetSecurityDescriptorDacl,GetAclInformation,LocalAlloc,InitializeAcl,LocalFree,GetAce,LocalFree,AddAce,LocalFree,SetSecurityDescriptorDacl,LocalFree,RegSetKeySecurity,LocalFree,LocalFree,0_2_00411960
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00403450 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityW,FreeSid,LocalFree,LocalFree,0_2_00403450
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 8UT1RfjZ0z.exe, 00000000.00000002.791686687.0000000000990000.00000002.sdmpBinary or memory string: Program Manager
Source: 8UT1RfjZ0z.exe, 00000000.00000002.791686687.0000000000990000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: 8UT1RfjZ0z.exe, 00000000.00000002.791686687.0000000000990000.00000002.sdmpBinary or memory string: Progman

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_2_0043182C
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,0_2_00431CD2
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: EnumSystemLocalesA,0_2_00431CD1
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLastError,__alloca_probe_16,WideCharToMultiByte,GetLocaleInfoA,0_2_0042E6DE
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: EnumSystemLocalesA,0_2_00431CA7
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: _TranslateName,_TranslateName,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,0_2_00431D72
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_2_0043190E
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,0_2_00431D37
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: EnumSystemLocalesA,0_2_00431D36
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_2_00431BE6
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_2_004353EC
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,_GetPrimaryLen,0_2_004319A4
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_1_0043182C
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_1_0042E568
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_1_0043190E
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,_GetPrimaryLen,_strlen,0_1_004319A4
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,0_1_00431A16
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_1_0042E6DE
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_1_00431BE6
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: GetLocaleInfoA,0_1_004353EC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00435635 cpuid 0_2_00435635
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the product ID of WindowsShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00403130 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,CreateFileW,GetFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,CloseHandle,GetProcessHeap,HeapFree,0_2_00403130
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00404E60 GetModuleHandleA,GetModuleHandleA,GetUserNameA,lstrcmpA,lstrcmpA,GetComputerNameA,lstrcmpA,lstrcmpA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,0_2_00404E60
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0043581C GetTimeZoneInformation,0_2_0043581C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_00410AA0 GetModuleHandleW,GetVersion,GetCurrentProcessId,CreateEventW,GetLastError,GetProcessHeap,HeapAlloc,GetComputerNameW,lstrcpyW,0_2_00410AA0

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\8UT1RfjZ0z.exeCode function: 0_2_0040DBB0 WSAStartup,socket,GetCurrentProcessId,inet_addr,htons,bind,closesocket,0_2_0040DBB0

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 61769 Sample: 8UT1RfjZ0z.exe Startdate: 09/10/2018 Architecture: WINDOWS Score: 84 9 pizzza-la.com 2->9 11 pixmania.biz 2->11 5 8UT1RfjZ0z.exe 3 1 2->5         started        process3 dnsIp4 13 zeon.knowyourself.us 185.77.129.221, 80 QHOSTERBG Netherlands 5->13 15 stormsfronts.com 209.99.40.222, 49166, 49167, 49177 CONFLUENCE-NETWORK-INC-ConfluenceNetworksIncVG United States 5->15 17 3 other IPs or domains 5->17 19 Detected Gootkit banking trojan 5->19 21 Found evasive API chain (may stop execution after checking mutex) 5->21 23 Checks if the current machine is a sandbox (computer name check) 5->23 25 7 other signatures 5->25 signatures5

Simulations

Behavior and APIs

TimeTypeDescription
20:09:40API Interceptor11689x Sleep call for process: 8UT1RfjZ0z.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.