Loading ...

Play interactive tourEdit tour

Analysis Report 4ifN8B061M

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:1014791
Start date:09.12.2019
Start time:09:30:46
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:4ifN8B061M (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@4/2@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 31.8% (good quality ratio 31.4%)
  • Quality average: 90.2%
  • Quality standard deviation: 19.1%
HCA Information:
  • Successful, ratio: 80%
  • Number of executed functions: 97
  • Number of non-executed functions: 246
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe
  • Excluded IPs from analysis (whitelisted): 2.20.142.254, 2.20.142.202, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, a1363.dscg.akamai.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, crl.microsoft.com, crl.www.ms.akadns.net

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
AveMaria
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpactPost-Adversary Device AccessWithout Adversary Device Access
Valid AccountsExecution through API2Registry Run Keys / Startup Folder1Access Token Manipulation1Hidden Users1Credential Dumping2System Time Discovery1Remote File Copy21Input Capture21Data Encrypted1Commonly Used Port1Endpoint Denial of Service1
Replication Through Removable MediaService Execution2Hidden Files and Directories1Process Injection112Software Packing1Credentials in Files1Security Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Data Encrypted for Impact
External Remote ServicesWindows Management InstrumentationCreate Account1New Service1Deobfuscate/Decode Files or Information1Input Capture21System Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy21Disk Structure Wipe
Drive-by CompromiseScheduled TaskModify Existing Service1DLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2Disk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceNew Service1File System Permissions WeaknessMasquerading3Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortInhibit System Recovery
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortDefacement
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolStored Data Manipulation
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionTransmitted Data Manipulation

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\images.exeAvira: detection malicious, Label: TR/Crypt.Agent.yyhho
Antivirus detection for sampleShow sources
Source: 4ifN8B061M.exeAvira: detection malicious, Label: TR/Crypt.Agent.yyhho
Multi AV Scanner detection for submitted fileShow sources
Source: 4ifN8B061M.exeVirustotal: Detection: 47%Perma Link
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 4ifN8B061M.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 3.2.images.exe.430000.1.unpackAvira: Label: TR/RedCap.ghjpt
Source: 0.2.4ifN8B061M.exe.250000.1.unpackAvira: Label: TR/RedCap.ghjpt

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00259E04 lstrlenA,CryptStringToBinaryA,lstrcpyA,0_2_00259E04
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002592D8 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,0_2_002592D8
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025AFDF PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,0_2_0025AFDF
Source: C:\ProgramData\images.exeCode function: 3_2_00439E04 lstrlenA,CryptStringToBinaryA,lstrcpyA,3_2_00439E04
Source: C:\ProgramData\images.exeCode function: 3_2_004392D8 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,3_2_004392D8
Source: C:\ProgramData\images.exeCode function: 3_2_0043AFDF PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,3_2_0043AFDF

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E879D FindFirstFileExA,0_2_012E879D
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00258A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_00258A9C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DEC5 FindFirstFileW,FindNextFileW,0_2_0025DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00CC879D FindFirstFileExA,3_2_00CC879D
Source: C:\ProgramData\images.exeCode function: 3_2_0043DEC5 FindFirstFileW,FindNextFileW,3_2_0043DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00438A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,3_2_00438A9C
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DFC9 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_0025DFC9

Networking:

barindex
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.1.16:49172 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.1.16:49170 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.1.16:49169 -> 8.8.8.8:53
Contains functionality to download and execute PE filesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00252675 URLDownloadToFileW,ShellExecuteW,0_2_00252675
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49171 -> 45.133.183.138:5200
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 45.133.183.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.133.183.138
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B424 recv,0_2_0025B424
Urls found in memory or binary dataShow sources
Source: 4ifN8B061M.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 4ifN8B061M.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 4ifN8B061M.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 4ifN8B061M.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: 4ifN8B061M.exeString found in binary or memory: http://ocsp.thawte.com0
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 4ifN8B061M.exe, images.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: 4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: 4ifN8B061M.exeString found in binary or memory: https://sectigo.com/CPS0C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025765A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,0_2_0025765A
Installs a raw input device (often for capturing keystrokes)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00257CB3 DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,0_2_00257CB3

E-Banking Fraud:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F7A200_2_012F7A20
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F6AA60_2_012F6AA6
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F85EF0_2_012F85EF
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E3DFC0_2_012E3DFC
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012FD8600_2_012FD860
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EB8400_2_012EB840
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EBCE20_2_012EBCE2
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EE7930_2_012EE793
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EFA190_2_012EFA19
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EE6660_2_012EE666
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F9F30_2_0025F9F3
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002492E70_2_002492E7
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023F3320_2_0023F332
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0024931C0_2_0024931C
Source: C:\ProgramData\images.exeCode function: 3_2_00CD6AA63_2_00CD6AA6
Source: C:\ProgramData\images.exeCode function: 3_2_00CD7A203_2_00CD7A20
Source: C:\ProgramData\images.exeCode function: 3_2_00CCBCE23_2_00CCBCE2
Source: C:\ProgramData\images.exeCode function: 3_2_00CCB8403_2_00CCB840
Source: C:\ProgramData\images.exeCode function: 3_2_00CDD8603_2_00CDD860
Source: C:\ProgramData\images.exeCode function: 3_2_00CD85EF3_2_00CD85EF
Source: C:\ProgramData\images.exeCode function: 3_2_00CC3DFC3_2_00CC3DFC
Source: C:\ProgramData\images.exeCode function: 3_2_00CCE6663_2_00CCE666
Source: C:\ProgramData\images.exeCode function: 3_2_00CCFA193_2_00CCFA19
Source: C:\ProgramData\images.exeCode function: 3_2_00CCE7933_2_00CCE793
Source: C:\ProgramData\images.exeCode function: 3_2_0043F9F33_2_0043F9F3
Source: C:\ProgramData\images.exeCode function: 3_2_004292E73_2_004292E7
Source: C:\ProgramData\images.exeCode function: 3_2_0042931C3_2_0042931C
Source: C:\ProgramData\images.exeCode function: 3_2_0041F3323_2_0041F332
Found potential string decryption / allocating functionsShow sources
Source: C:\ProgramData\images.exeCode function: String function: 00CC1040 appears 117 times
Source: C:\ProgramData\images.exeCode function: String function: 00433412 appears 37 times
Source: C:\ProgramData\images.exeCode function: String function: 0043E907 appears 48 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 012E1040 appears 117 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 0025E907 appears 48 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 00253412 appears 37 times
Sample file is different than original file name gathered from version infoShow sources
Source: 4ifN8B061M.exe, 00000000.00000002.424017777.000E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 4ifN8B061M.exe
Yara signature matchShow sources
Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2_RID2C2E date = 2016-01-30 09:38:11, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2_RID2C2E date = 2016-01-30 09:38:11, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@4/2@0/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025D609 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_0025D609
Source: C:\ProgramData\images.exeCode function: 3_2_0043D609 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0043D609
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025EC17 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0025EC17
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002606D5 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,0_2_002606D5
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F843 GetModuleFileNameW,IsUserAnAdmin,FindResourceW,LoadResource,SizeofResource,LockResource,0_2_0025F843
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B81D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0025B81D
Creates files inside the program directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 4ifN8B061M.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 4ifN8B061M.exeVirustotal: Detection: 47%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile read: C:\Users\user\Desktop\4ifN8B061M.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\4ifN8B061M.exe 'C:\Users\user\Desktop\4ifN8B061M.exe'
Source: unknownProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: unknownProcess created: C:\ProgramData\images.exe 'C:\ProgramData\images.exe'
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
PE / OLE file has a valid certificateShow sources
Source: 4ifN8B061M.exeStatic PE information: certificate valid
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 4ifN8B061M.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025582B LoadLibraryA,GetProcAddress,ExitProcess,0_2_0025582B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1AA6 push ecx; ret 0_2_012E1AB9
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00251130 push eax; ret 0_2_00251144
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00251130 push eax; ret 0_2_0025116C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0024311B push ebx; iretd 0_2_0024311C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002419C0 push ebp; retf 0_2_00241A63
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230A6F push eax; ret 0_2_00230A83
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230A6F push eax; ret 0_2_00230AAB
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1AA6 push ecx; ret 3_2_00CC1AB9
Source: C:\ProgramData\images.exeCode function: 3_2_00431130 push eax; ret 3_2_00431144
Source: C:\ProgramData\images.exeCode function: 3_2_00431130 push eax; ret 3_2_0043116C
Source: C:\ProgramData\images.exeCode function: 3_2_0042311B push ebx; iretd 3_2_0042311C
Source: C:\ProgramData\images.exeCode function: 3_2_004219C0 push ebp; retf 3_2_00421A63
Source: C:\ProgramData\images.exeCode function: 3_2_00410A6F push eax; ret 3_2_00410A83
Source: C:\ProgramData\images.exeCode function: 3_2_00410A6F push eax; ret 3_2_00410AAB

Persistence and Installation Behavior:

barindex
Contains functionality to create new usersShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B799 NetUserAdd,NetLocalGroupAddMembers,0_2_0025B799
Contains functionality to download and launch executablesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00252675 URLDownloadToFileW,ShellExecuteW,0_2_00252675
Drops PE filesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\ProgramData\images.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\ProgramData\images.exeJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002598B0 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_002598B0
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025936E GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_0025936E
Source: C:\ProgramData\images.exeCode function: 3_2_004398B0 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,3_2_004398B0
Source: C:\ProgramData\images.exeCode function: 3_2_0043936E GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,3_2_0043936E

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B889 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0025B889
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImagesJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImagesJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accountsShow sources
Source: 4ifN8B061M.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A66
Source: images.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A66
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,0_2_0025BDDC
Source: C:\ProgramData\images.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,3_2_0043BDDC
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\ProgramData\images.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\ProgramData\images.exeThread delayed: delay time: 1000000Jump to behavior
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-27633
Source: C:\ProgramData\images.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-27511
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3432Thread sleep time: -4000000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3560Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3432Thread sleep time: -1000000s >= -30000sJump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep count: 41 > 30Jump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep time: -41000000s >= -30000sJump to behavior
Source: C:\ProgramData\images.exe TID: 3324Thread sleep count: 51 > 30Jump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep time: -1000000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\ProgramData\images.exeLast function: Thread delayed
Source: C:\ProgramData\images.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E879D FindFirstFileExA,0_2_012E879D
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00258A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_00258A9C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DEC5 FindFirstFileW,FindNextFileW,0_2_0025DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00CC879D FindFirstFileExA,3_2_00CC879D
Source: C:\ProgramData\images.exeCode function: 3_2_0043DEC5 FindFirstFileW,FindNextFileW,3_2_0043DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00438A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,3_2_00438A9C
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DFC9 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_0025DFC9
Program exit pointsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeAPI call chain: ExitProcess graph end nodegraph_0-27859
Source: C:\ProgramData\images.exeAPI call chain: ExitProcess graph end nodegraph_3-27672

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E1817
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025582B LoadLibraryA,GetProcAddress,ExitProcess,0_2_0025582B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E943A mov eax, dword ptr fs:[00000030h]0_2_012E943A
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E528C mov eax, dword ptr fs:[00000030h]0_2_012E528C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E8EC mov eax, dword ptr fs:[00000030h]0_2_0025E8EC
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E5B7 mov eax, dword ptr fs:[00000030h]0_2_0025E5B7
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E5BE mov eax, dword ptr fs:[00000030h]0_2_0025E5BE
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230467 mov eax, dword ptr fs:[00000030h]0_2_00230467
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002454A9 mov eax, dword ptr fs:[00000030h]0_2_002454A9
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023E22B mov eax, dword ptr fs:[00000030h]0_2_0023E22B
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023DEF6 mov eax, dword ptr fs:[00000030h]0_2_0023DEF6
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023DEFD mov eax, dword ptr fs:[00000030h]0_2_0023DEFD
Source: C:\ProgramData\images.exeCode function: 3_2_00CC943A mov eax, dword ptr fs:[00000030h]3_2_00CC943A
Source: C:\ProgramData\images.exeCode function: 3_2_00CC528C mov eax, dword ptr fs:[00000030h]3_2_00CC528C
Source: C:\ProgramData\images.exeCode function: 3_2_0043E8EC mov eax, dword ptr fs:[00000030h]3_2_0043E8EC
Source: C:\ProgramData\images.exeCode function: 3_2_0043E5B7 mov eax, dword ptr fs:[00000030h]3_2_0043E5B7
Source: C:\ProgramData\images.exeCode function: 3_2_0043E5BE mov eax, dword ptr fs:[00000030h]3_2_0043E5BE
Source: C:\ProgramData\images.exeCode function: 3_2_00410467 mov eax, dword ptr fs:[00000030h]3_2_00410467
Source: C:\ProgramData\images.exeCode function: 3_2_004254A9 mov eax, dword ptr fs:[00000030h]3_2_004254A9
Source: C:\ProgramData\images.exeCode function: 3_2_0041E22B mov eax, dword ptr fs:[00000030h]3_2_0041E22B
Source: C:\ProgramData\images.exeCode function: 3_2_0041DEF6 mov eax, dword ptr fs:[00000030h]3_2_0041DEF6
Source: C:\ProgramData\images.exeCode function: 3_2_0041DEFD mov eax, dword ptr fs:[00000030h]3_2_0041DEFD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E9EC7 GetProcessHeap,0_2_012E9EC7
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E19AA SetUnhandledExceptionFilter,0_2_012E19AA
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E1817
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1C6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_012E1C6F
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E5F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E5F98
Source: C:\ProgramData\images.exeCode function: 3_2_00CC19AA SetUnhandledExceptionFilter,3_2_00CC19AA
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1C6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00CC1C6F
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00CC1817
Source: C:\ProgramData\images.exeCode function: 3_2_00CC5F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00CC5F98

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025FD9E OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,0_2_0025FD9E
Source: C:\ProgramData\images.exeCode function: 3_2_0043FD9E OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,3_2_0043FD9E
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe0_2_0025FE7E
Source: C:\ProgramData\images.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe3_2_0043FE7E
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F6C1 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,0_2_0025F6C1
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025D508 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,0_2_0025D508
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1ABB cpuid 0_2_012E1ABB
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1706 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,0_2_012E1706

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet ExplorerShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE
Contains functionality to steal Chrome passwords or cookiesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: \Google\Chrome\User Data\Default\Login Data0_2_0025AFDF
Source: C:\ProgramData\images.exeCode function: \Google\Chrome\User Data\Default\Login Data3_2_0043AFDF
Contains functionality to steal e-mail passwordsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: POP3 Password0_2_00258F40
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: SMTP Password0_2_00258F40
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: IMAP Password0_2_00258F40
Source: C:\ProgramData\images.exeCode function: POP3 Password3_2_00438F40
Source: C:\ProgramData\images.exeCode function: SMTP Password3_2_00438F40
Source: C:\ProgramData\images.exeCode function: IMAP Password3_2_00438F40

Remote Access Functionality:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
09:32:42API Interceptor23x Sleep call for process: 4ifN8B061M.exe modified
09:32:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Images C:\ProgramData\images.exe
09:33:42API Interceptor58x Sleep call for process: images.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4ifN8B061M.exe48%VirustotalBrowse
4ifN8B061M.exe100%AviraTR/Crypt.Agent.yyhho
4ifN8B061M.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\images.exe100%AviraTR/Crypt.Agent.yyhho
C:\ProgramData\images.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.images.exe.430000.1.unpack100%AviraTR/RedCap.ghjptDownload File
0.2.4ifN8B061M.exe.250000.1.unpack100%AviraTR/RedCap.ghjptDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://sectigo.com/CPS0C0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.566547321.0012A000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
    00000003.00000003.565700412.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdc8:$c1: Elevation:Administrator!new:
    • 0x3bd0:$c1: Elevation:Administrator!new:
    00000003.00000003.565700412.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdc8:$c1: Elevation:Administrator!new:
    • 0x3bd0:$c1: Elevation:Administrator!new:
    00000003.00000002.577725352.00448000.00000002.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000003.00000002.577725352.00448000.00000002.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424138873.00268000.00000002.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424138873.00268000.00000002.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1672f:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1672f:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000003.00000002.577710609.00442000.00000002.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000003.00000003.567703677.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdc8:$c1: Elevation:Administrator!new:
        • 0x3bd0:$c1: Elevation:Administrator!new:
        00000003.00000003.567703677.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdc8:$c1: Elevation:Administrator!new:
        • 0x3bd0:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x5998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x5998:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
        • 0x5998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x5998:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x8998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x8998:$c1: Elevation:Administrator!new:
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
          • 0x8998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x8998:$c1: Elevation:Administrator!new:
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
            00000003.00000003.567782220.0012C000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xadc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xdbd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xadc8:$c1: Elevation:Administrator!new:
              • 0xdbd0:$c1: Elevation:Administrator!new:
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
              • 0xadc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xdbd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xadc8:$c1: Elevation:Administrator!new:
              • 0xdbd0:$c1: Elevation:Administrator!new:
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x1672f:$c1: Elevation:Administrator!new:
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x1672f:$c1: Elevation:Administrator!new:
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                  00000000.00000002.424120535.00262000.00000002.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                    • 0x36a8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x15998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x36a8:$c1: Elevation:Administrator!new:
                    • 0x15998:$c1: Elevation:Administrator!new:
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                    • 0x36a8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x15998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x36a8:$c1: Elevation:Administrator!new:
                    • 0x15998:$c1: Elevation:Administrator!new:
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                      Process Memory Space: images.exe PID: 3596JoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                        Process Memory Space: 4ifN8B061M.exe PID: 3380JoeSecurity_AveMariaYara detected AveMaria stealerJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_2_RID2C2EDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_2_RID2C2EDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                            3.2.images.exe.430000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                              0.2.4ifN8B061M.exe.250000.1.unpackAveMaria_WarZoneunknownunknown
                              • 0x13644:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                              • 0x13514:$str2: MsgBox.exe
                              • 0x136b0:$str4: \System32\cmd.exe
                              • 0x133e8:$str6: Ave_Maria
                              • 0x12620:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              • 0x12000:$str8: SMTP Password
                              • 0x11b50:$str11: \Google\Chrome\User Data\Default\Login Data
                              • 0x125ec:$str12: \sqlmap.dll
                              • 0x11b28:$str14: SELECT * FROM logins
                              • 0x161f0:$str16: Elevation:Administrator!new
                              • 0x16310:$str17: /n:%temp%
                              3.2.images.exe.430000.1.unpackAveMaria_WarZoneunknownunknown
                              • 0x13644:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                              • 0x13514:$str2: MsgBox.exe
                              • 0x136b0:$str4: \System32\cmd.exe
                              • 0x133e8:$str6: Ave_Maria
                              • 0x12620:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              • 0x12000:$str8: SMTP Password
                              • 0x11b50:$str11: \Google\Chrome\User Data\Default\Login Data
                              • 0x125ec:$str12: \sqlmap.dll
                              • 0x11b28:$str14: SELECT * FROM logins
                              • 0x161f0:$str16: Elevation:Administrator!new
                              • 0x16310:$str17: /n:%temp%

                              Sigma Overview

                              No Sigma rule has matched

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              unknownhttps://gardenario.wepbro.com/wp-includes/privata-sezione/interni-5049405216-3JcvOrExSuWC8h/lnvf9373-vw64t721vttv/Get hashmaliciousBrowse
                              • 104.31.64.13
                              https://herbancreativenj.com/minvoice?mail=%Get hashmaliciousBrowse
                              • 104.31.89.17
                              https://herbancreativenj.com/minvoice?mail=%{0:{{Recipient.Email}}}%Get hashmaliciousBrowse
                              • 104.31.88.17
                              http://wp-demo-wp04.vicoders.com/wp-content/mne0e-fl6ho-91193/Get hashmaliciousBrowse
                              • 47.98.241.4
                              https://herbancreativenj.com/minvoice?mail=%{0:{{Recipient.Email}}}%Get hashmaliciousBrowse
                              • 104.31.88.17
                              http://networkscy.incyprus.net/e1dd/bnpr-m7a-4615/Get hashmaliciousBrowse
                              • 104.16.123.96
                              cronGet hashmaliciousBrowse
                              • 45.9.148.125
                              http://cdnus.filesupdatehead.com/ofr/Famofama/01_07_19/Famofama_pages.zipGet hashmaliciousBrowse
                              • 199.115.112.67
                              http://27.69.242.187Get hashmaliciousBrowse
                              • 159.148.172.231
                              http://www2.formatta.com/download/fillersetup.exeGet hashmaliciousBrowse
                              • 40.84.144.206
                              vij.exeGet hashmaliciousBrowse
                              • 139.28.39.70
                              SAMPLE.exeGet hashmaliciousBrowse
                              • 127.0.0.1
                              cronGet hashmaliciousBrowse
                              • 45.9.148.129
                              ze99HWZnJK.exeGet hashmaliciousBrowse
                              • 52.97.183.194
                              https://kbelectricals.co.in/varujy3/ox07-svj-94Get hashmaliciousBrowse
                              • 103.28.36.212
                              http://solarsistem.net/doc/8me4x/*Get hashmaliciousBrowse
                              • 162.241.24.173
                              http://lakewin.org/wp-admin/j19x/*Get hashmaliciousBrowse
                              • 162.241.24.26
                              http://vanguardesigns.com/akbadminton/0412/*Get hashmaliciousBrowse
                              • 162.241.24.179
                              http://nowotnik.com/nqrgo8/cy3a6/'Get hashmaliciousBrowse
                              • 50.87.253.50
                              http://ngiveu.com/hcy5u/icv4/*Get hashmaliciousBrowse
                              • 49.235.41.178

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.