Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 4ifN8B061M

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:1014791
Start date:09.12.2019
Start time:09:30:46
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:4ifN8B061M (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@4/2@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 31.8% (good quality ratio 31.4%)
  • Quality average: 90.2%
  • Quality standard deviation: 19.1%
HCA Information:
  • Successful, ratio: 80%
  • Number of executed functions: 97
  • Number of non-executed functions: 246
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe
  • Excluded IPs from analysis (whitelisted): 2.20.142.254, 2.20.142.202, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, a1363.dscg.akamai.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, crl.microsoft.com, crl.www.ms.akadns.net

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
AveMaria
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpactPost-Adversary Device AccessWithout Adversary Device Access
Valid AccountsExecution through API2Registry Run Keys / Startup Folder1Access Token Manipulation1Hidden Users1Credential Dumping2System Time Discovery1Remote File Copy21Input Capture21Data Encrypted1Commonly Used Port1Endpoint Denial of Service1
Replication Through Removable MediaService Execution2Hidden Files and Directories1Process Injection112Software Packing1Credentials in Files1Security Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Data Encrypted for Impact
External Remote ServicesWindows Management InstrumentationCreate Account1New Service1Deobfuscate/Decode Files or Information1Input Capture21System Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy21Disk Structure Wipe
Drive-by CompromiseScheduled TaskModify Existing Service1DLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2Disk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceNew Service1File System Permissions WeaknessMasquerading3Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortInhibit System Recovery
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortDefacement
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolStored Data Manipulation
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionTransmitted Data Manipulation

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\images.exeAvira: detection malicious, Label: TR/Crypt.Agent.yyhho
Antivirus detection for sampleShow sources
Source: 4ifN8B061M.exeAvira: detection malicious, Label: TR/Crypt.Agent.yyhho
Multi AV Scanner detection for submitted fileShow sources
Source: 4ifN8B061M.exeVirustotal: Detection: 47%Perma Link
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 4ifN8B061M.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 3.2.images.exe.430000.1.unpackAvira: Label: TR/RedCap.ghjpt
Source: 0.2.4ifN8B061M.exe.250000.1.unpackAvira: Label: TR/RedCap.ghjpt

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00259E04 lstrlenA,CryptStringToBinaryA,lstrcpyA,0_2_00259E04
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002592D8 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,0_2_002592D8
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025AFDF PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,0_2_0025AFDF
Source: C:\ProgramData\images.exeCode function: 3_2_00439E04 lstrlenA,CryptStringToBinaryA,lstrcpyA,3_2_00439E04
Source: C:\ProgramData\images.exeCode function: 3_2_004392D8 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,3_2_004392D8
Source: C:\ProgramData\images.exeCode function: 3_2_0043AFDF PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,3_2_0043AFDF

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E879D FindFirstFileExA,0_2_012E879D
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00258A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_00258A9C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DEC5 FindFirstFileW,FindNextFileW,0_2_0025DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00CC879D FindFirstFileExA,3_2_00CC879D
Source: C:\ProgramData\images.exeCode function: 3_2_0043DEC5 FindFirstFileW,FindNextFileW,3_2_0043DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00438A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,3_2_00438A9C
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DFC9 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_0025DFC9

Networking:

barindex
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.1.16:49172 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.1.16:49170 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.1.16:49169 -> 8.8.8.8:53
Contains functionality to download and execute PE filesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00252675 URLDownloadToFileW,ShellExecuteW,0_2_00252675
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49171 -> 45.133.183.138:5200
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 45.133.183.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.133.183.138
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B424 recv,0_2_0025B424
Urls found in memory or binary dataShow sources
Source: 4ifN8B061M.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 4ifN8B061M.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 4ifN8B061M.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 4ifN8B061M.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: 4ifN8B061M.exeString found in binary or memory: http://ocsp.thawte.com0
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 4ifN8B061M.exe, images.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: 4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: 4ifN8B061M.exeString found in binary or memory: https://sectigo.com/CPS0C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025765A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,0_2_0025765A
Installs a raw input device (often for capturing keystrokes)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00257CB3 DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,0_2_00257CB3

E-Banking Fraud:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F7A200_2_012F7A20
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F6AA60_2_012F6AA6
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F85EF0_2_012F85EF
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E3DFC0_2_012E3DFC
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012FD8600_2_012FD860
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EB8400_2_012EB840
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EBCE20_2_012EBCE2
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EE7930_2_012EE793
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EFA190_2_012EFA19
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EE6660_2_012EE666
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F9F30_2_0025F9F3
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002492E70_2_002492E7
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023F3320_2_0023F332
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0024931C0_2_0024931C
Source: C:\ProgramData\images.exeCode function: 3_2_00CD6AA63_2_00CD6AA6
Source: C:\ProgramData\images.exeCode function: 3_2_00CD7A203_2_00CD7A20
Source: C:\ProgramData\images.exeCode function: 3_2_00CCBCE23_2_00CCBCE2
Source: C:\ProgramData\images.exeCode function: 3_2_00CCB8403_2_00CCB840
Source: C:\ProgramData\images.exeCode function: 3_2_00CDD8603_2_00CDD860
Source: C:\ProgramData\images.exeCode function: 3_2_00CD85EF3_2_00CD85EF
Source: C:\ProgramData\images.exeCode function: 3_2_00CC3DFC3_2_00CC3DFC
Source: C:\ProgramData\images.exeCode function: 3_2_00CCE6663_2_00CCE666
Source: C:\ProgramData\images.exeCode function: 3_2_00CCFA193_2_00CCFA19
Source: C:\ProgramData\images.exeCode function: 3_2_00CCE7933_2_00CCE793
Source: C:\ProgramData\images.exeCode function: 3_2_0043F9F33_2_0043F9F3
Source: C:\ProgramData\images.exeCode function: 3_2_004292E73_2_004292E7
Source: C:\ProgramData\images.exeCode function: 3_2_0042931C3_2_0042931C
Source: C:\ProgramData\images.exeCode function: 3_2_0041F3323_2_0041F332
Found potential string decryption / allocating functionsShow sources
Source: C:\ProgramData\images.exeCode function: String function: 00CC1040 appears 117 times
Source: C:\ProgramData\images.exeCode function: String function: 00433412 appears 37 times
Source: C:\ProgramData\images.exeCode function: String function: 0043E907 appears 48 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 012E1040 appears 117 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 0025E907 appears 48 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 00253412 appears 37 times
Sample file is different than original file name gathered from version infoShow sources
Source: 4ifN8B061M.exe, 00000000.00000002.424017777.000E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 4ifN8B061M.exe
Yara signature matchShow sources
Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2_RID2C2E date = 2016-01-30 09:38:11, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2_RID2C2E date = 2016-01-30 09:38:11, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@4/2@0/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025D609 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_0025D609
Source: C:\ProgramData\images.exeCode function: 3_2_0043D609 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0043D609
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025EC17 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0025EC17
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002606D5 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,0_2_002606D5
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F843 GetModuleFileNameW,IsUserAnAdmin,FindResourceW,LoadResource,SizeofResource,LockResource,0_2_0025F843
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B81D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0025B81D
Creates files inside the program directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 4ifN8B061M.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 4ifN8B061M.exeVirustotal: Detection: 47%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile read: C:\Users\user\Desktop\4ifN8B061M.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\4ifN8B061M.exe 'C:\Users\user\Desktop\4ifN8B061M.exe'
Source: unknownProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: unknownProcess created: C:\ProgramData\images.exe 'C:\ProgramData\images.exe'
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
PE / OLE file has a valid certificateShow sources
Source: 4ifN8B061M.exeStatic PE information: certificate valid
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 4ifN8B061M.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025582B LoadLibraryA,GetProcAddress,ExitProcess,0_2_0025582B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1AA6 push ecx; ret 0_2_012E1AB9
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00251130 push eax; ret 0_2_00251144
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00251130 push eax; ret 0_2_0025116C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0024311B push ebx; iretd 0_2_0024311C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002419C0 push ebp; retf 0_2_00241A63
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230A6F push eax; ret 0_2_00230A83
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230A6F push eax; ret 0_2_00230AAB
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1AA6 push ecx; ret 3_2_00CC1AB9
Source: C:\ProgramData\images.exeCode function: 3_2_00431130 push eax; ret 3_2_00431144
Source: C:\ProgramData\images.exeCode function: 3_2_00431130 push eax; ret 3_2_0043116C
Source: C:\ProgramData\images.exeCode function: 3_2_0042311B push ebx; iretd 3_2_0042311C
Source: C:\ProgramData\images.exeCode function: 3_2_004219C0 push ebp; retf 3_2_00421A63
Source: C:\ProgramData\images.exeCode function: 3_2_00410A6F push eax; ret 3_2_00410A83
Source: C:\ProgramData\images.exeCode function: 3_2_00410A6F push eax; ret 3_2_00410AAB

Persistence and Installation Behavior:

barindex
Contains functionality to create new usersShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B799 NetUserAdd,NetLocalGroupAddMembers,0_2_0025B799
Contains functionality to download and launch executablesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00252675 URLDownloadToFileW,ShellExecuteW,0_2_00252675
Drops PE filesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\ProgramData\images.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\ProgramData\images.exeJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002598B0 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_002598B0
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025936E GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_0025936E
Source: C:\ProgramData\images.exeCode function: 3_2_004398B0 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,3_2_004398B0
Source: C:\ProgramData\images.exeCode function: 3_2_0043936E GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,3_2_0043936E

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B889 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0025B889
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImagesJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImagesJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accountsShow sources
Source: 4ifN8B061M.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A66
Source: images.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A66
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,0_2_0025BDDC
Source: C:\ProgramData\images.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,3_2_0043BDDC
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\ProgramData\images.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\ProgramData\images.exeThread delayed: delay time: 1000000Jump to behavior
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-27633
Source: C:\ProgramData\images.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-27511
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3432Thread sleep time: -4000000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3560Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3432Thread sleep time: -1000000s >= -30000sJump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep count: 41 > 30Jump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep time: -41000000s >= -30000sJump to behavior
Source: C:\ProgramData\images.exe TID: 3324Thread sleep count: 51 > 30Jump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep time: -1000000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\ProgramData\images.exeLast function: Thread delayed
Source: C:\ProgramData\images.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E879D FindFirstFileExA,0_2_012E879D
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00258A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_00258A9C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DEC5 FindFirstFileW,FindNextFileW,0_2_0025DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00CC879D FindFirstFileExA,3_2_00CC879D
Source: C:\ProgramData\images.exeCode function: 3_2_0043DEC5 FindFirstFileW,FindNextFileW,3_2_0043DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00438A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,3_2_00438A9C
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DFC9 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_0025DFC9
Program exit pointsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeAPI call chain: ExitProcess graph end nodegraph_0-27859
Source: C:\ProgramData\images.exeAPI call chain: ExitProcess graph end nodegraph_3-27672

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E1817
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025582B LoadLibraryA,GetProcAddress,ExitProcess,0_2_0025582B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E943A mov eax, dword ptr fs:[00000030h]0_2_012E943A
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E528C mov eax, dword ptr fs:[00000030h]0_2_012E528C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E8EC mov eax, dword ptr fs:[00000030h]0_2_0025E8EC
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E5B7 mov eax, dword ptr fs:[00000030h]0_2_0025E5B7
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E5BE mov eax, dword ptr fs:[00000030h]0_2_0025E5BE
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230467 mov eax, dword ptr fs:[00000030h]0_2_00230467
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002454A9 mov eax, dword ptr fs:[00000030h]0_2_002454A9
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023E22B mov eax, dword ptr fs:[00000030h]0_2_0023E22B
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023DEF6 mov eax, dword ptr fs:[00000030h]0_2_0023DEF6
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023DEFD mov eax, dword ptr fs:[00000030h]0_2_0023DEFD
Source: C:\ProgramData\images.exeCode function: 3_2_00CC943A mov eax, dword ptr fs:[00000030h]3_2_00CC943A
Source: C:\ProgramData\images.exeCode function: 3_2_00CC528C mov eax, dword ptr fs:[00000030h]3_2_00CC528C
Source: C:\ProgramData\images.exeCode function: 3_2_0043E8EC mov eax, dword ptr fs:[00000030h]3_2_0043E8EC
Source: C:\ProgramData\images.exeCode function: 3_2_0043E5B7 mov eax, dword ptr fs:[00000030h]3_2_0043E5B7
Source: C:\ProgramData\images.exeCode function: 3_2_0043E5BE mov eax, dword ptr fs:[00000030h]3_2_0043E5BE
Source: C:\ProgramData\images.exeCode function: 3_2_00410467 mov eax, dword ptr fs:[00000030h]3_2_00410467
Source: C:\ProgramData\images.exeCode function: 3_2_004254A9 mov eax, dword ptr fs:[00000030h]3_2_004254A9
Source: C:\ProgramData\images.exeCode function: 3_2_0041E22B mov eax, dword ptr fs:[00000030h]3_2_0041E22B
Source: C:\ProgramData\images.exeCode function: 3_2_0041DEF6 mov eax, dword ptr fs:[00000030h]3_2_0041DEF6
Source: C:\ProgramData\images.exeCode function: 3_2_0041DEFD mov eax, dword ptr fs:[00000030h]3_2_0041DEFD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E9EC7 GetProcessHeap,0_2_012E9EC7
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E19AA SetUnhandledExceptionFilter,0_2_012E19AA
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E1817
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1C6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_012E1C6F
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E5F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E5F98
Source: C:\ProgramData\images.exeCode function: 3_2_00CC19AA SetUnhandledExceptionFilter,3_2_00CC19AA
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1C6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00CC1C6F
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00CC1817
Source: C:\ProgramData\images.exeCode function: 3_2_00CC5F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00CC5F98

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025FD9E OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,0_2_0025FD9E
Source: C:\ProgramData\images.exeCode function: 3_2_0043FD9E OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,3_2_0043FD9E
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe0_2_0025FE7E
Source: C:\ProgramData\images.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe3_2_0043FE7E
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F6C1 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,0_2_0025F6C1
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025D508 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,0_2_0025D508
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1ABB cpuid 0_2_012E1ABB
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1706 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,0_2_012E1706

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet ExplorerShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE
Contains functionality to steal Chrome passwords or cookiesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: \Google\Chrome\User Data\Default\Login Data0_2_0025AFDF
Source: C:\ProgramData\images.exeCode function: \Google\Chrome\User Data\Default\Login Data3_2_0043AFDF
Contains functionality to steal e-mail passwordsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: POP3 Password0_2_00258F40
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: SMTP Password0_2_00258F40
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: IMAP Password0_2_00258F40
Source: C:\ProgramData\images.exeCode function: POP3 Password3_2_00438F40
Source: C:\ProgramData\images.exeCode function: SMTP Password3_2_00438F40
Source: C:\ProgramData\images.exeCode function: IMAP Password3_2_00438F40

Remote Access Functionality:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
09:32:42API Interceptor23x Sleep call for process: 4ifN8B061M.exe modified
09:32:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Images C:\ProgramData\images.exe
09:33:42API Interceptor58x Sleep call for process: images.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4ifN8B061M.exe48%VirustotalBrowse
4ifN8B061M.exe100%AviraTR/Crypt.Agent.yyhho
4ifN8B061M.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\images.exe100%AviraTR/Crypt.Agent.yyhho
C:\ProgramData\images.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.images.exe.430000.1.unpack100%AviraTR/RedCap.ghjptDownload File
0.2.4ifN8B061M.exe.250000.1.unpack100%AviraTR/RedCap.ghjptDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://sectigo.com/CPS0C0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.566547321.0012A000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
    00000003.00000003.565700412.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdc8:$c1: Elevation:Administrator!new:
    • 0x3bd0:$c1: Elevation:Administrator!new:
    00000003.00000003.565700412.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdc8:$c1: Elevation:Administrator!new:
    • 0x3bd0:$c1: Elevation:Administrator!new:
    00000003.00000002.577725352.00448000.00000002.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000003.00000002.577725352.00448000.00000002.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424138873.00268000.00000002.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424138873.00268000.00000002.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1672f:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1672f:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000003.00000002.577710609.00442000.00000002.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000003.00000003.567703677.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdc8:$c1: Elevation:Administrator!new:
        • 0x3bd0:$c1: Elevation:Administrator!new:
        00000003.00000003.567703677.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdc8:$c1: Elevation:Administrator!new:
        • 0x3bd0:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x5998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x5998:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
        • 0x5998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x5998:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x8998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x8998:$c1: Elevation:Administrator!new:
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
          • 0x8998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x8998:$c1: Elevation:Administrator!new:
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
            00000003.00000003.567782220.0012C000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xadc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xdbd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xadc8:$c1: Elevation:Administrator!new:
              • 0xdbd0:$c1: Elevation:Administrator!new:
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
              • 0xadc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xdbd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xadc8:$c1: Elevation:Administrator!new:
              • 0xdbd0:$c1: Elevation:Administrator!new:
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x1672f:$c1: Elevation:Administrator!new:
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x1672f:$c1: Elevation:Administrator!new:
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                  00000000.00000002.424120535.00262000.00000002.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                    • 0x36a8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x15998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x36a8:$c1: Elevation:Administrator!new:
                    • 0x15998:$c1: Elevation:Administrator!new:
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                    • 0x36a8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x15998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x36a8:$c1: Elevation:Administrator!new:
                    • 0x15998:$c1: Elevation:Administrator!new:
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                      Process Memory Space: images.exe PID: 3596JoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                        Process Memory Space: 4ifN8B061M.exe PID: 3380JoeSecurity_AveMariaYara detected AveMaria stealerJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_2_RID2C2EDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_2_RID2C2EDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                            3.2.images.exe.430000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                              0.2.4ifN8B061M.exe.250000.1.unpackAveMaria_WarZoneunknownunknown
                              • 0x13644:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                              • 0x13514:$str2: MsgBox.exe
                              • 0x136b0:$str4: \System32\cmd.exe
                              • 0x133e8:$str6: Ave_Maria
                              • 0x12620:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              • 0x12000:$str8: SMTP Password
                              • 0x11b50:$str11: \Google\Chrome\User Data\Default\Login Data
                              • 0x125ec:$str12: \sqlmap.dll
                              • 0x11b28:$str14: SELECT * FROM logins
                              • 0x161f0:$str16: Elevation:Administrator!new
                              • 0x16310:$str17: /n:%temp%
                              3.2.images.exe.430000.1.unpackAveMaria_WarZoneunknownunknown
                              • 0x13644:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                              • 0x13514:$str2: MsgBox.exe
                              • 0x136b0:$str4: \System32\cmd.exe
                              • 0x133e8:$str6: Ave_Maria
                              • 0x12620:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              • 0x12000:$str8: SMTP Password
                              • 0x11b50:$str11: \Google\Chrome\User Data\Default\Login Data
                              • 0x125ec:$str12: \sqlmap.dll
                              • 0x11b28:$str14: SELECT * FROM logins
                              • 0x161f0:$str16: Elevation:Administrator!new
                              • 0x16310:$str17: /n:%temp%

                              Sigma Overview

                              No Sigma rule has matched

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              unknownhttps://gardenario.wepbro.com/wp-includes/privata-sezione/interni-5049405216-3JcvOrExSuWC8h/lnvf9373-vw64t721vttv/Get hashmaliciousBrowse
                              • 104.31.64.13
                              https://herbancreativenj.com/minvoice?mail=%Get hashmaliciousBrowse
                              • 104.31.89.17
                              https://herbancreativenj.com/minvoice?mail=%{0:{{Recipient.Email}}}%Get hashmaliciousBrowse
                              • 104.31.88.17
                              http://wp-demo-wp04.vicoders.com/wp-content/mne0e-fl6ho-91193/Get hashmaliciousBrowse
                              • 47.98.241.4
                              https://herbancreativenj.com/minvoice?mail=%{0:{{Recipient.Email}}}%Get hashmaliciousBrowse
                              • 104.31.88.17
                              http://networkscy.incyprus.net/e1dd/bnpr-m7a-4615/Get hashmaliciousBrowse
                              • 104.16.123.96
                              cronGet hashmaliciousBrowse
                              • 45.9.148.125
                              http://cdnus.filesupdatehead.com/ofr/Famofama/01_07_19/Famofama_pages.zipGet hashmaliciousBrowse
                              • 199.115.112.67
                              http://27.69.242.187Get hashmaliciousBrowse
                              • 159.148.172.231
                              http://www2.formatta.com/download/fillersetup.exeGet hashmaliciousBrowse
                              • 40.84.144.206
                              vij.exeGet hashmaliciousBrowse
                              • 139.28.39.70
                              SAMPLE.exeGet hashmaliciousBrowse
                              • 127.0.0.1
                              cronGet hashmaliciousBrowse
                              • 45.9.148.129
                              ze99HWZnJK.exeGet hashmaliciousBrowse
                              • 52.97.183.194
                              https://kbelectricals.co.in/varujy3/ox07-svj-94Get hashmaliciousBrowse
                              • 103.28.36.212
                              http://solarsistem.net/doc/8me4x/*Get hashmaliciousBrowse
                              • 162.241.24.173
                              http://lakewin.org/wp-admin/j19x/*Get hashmaliciousBrowse
                              • 162.241.24.26
                              http://vanguardesigns.com/akbadminton/0412/*Get hashmaliciousBrowse
                              • 162.241.24.179
                              http://nowotnik.com/nqrgo8/cy3a6/'Get hashmaliciousBrowse
                              • 50.87.253.50
                              http://ngiveu.com/hcy5u/icv4/*Get hashmaliciousBrowse
                              • 49.235.41.178

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                              windows-stand

                              Startup

                              • System is w7_1
                              • 4ifN8B061M.exe (PID: 3380 cmdline: 'C:\Users\user\Desktop\4ifN8B061M.exe' MD5: 94FF625253B3920FE5B6824BD8C30482)
                                • images.exe (PID: 3596 cmdline: C:\ProgramData\images.exe MD5: 94FF625253B3920FE5B6824BD8C30482)
                              • images.exe (PID: 3804 cmdline: 'C:\ProgramData\images.exe' MD5: 94FF625253B3920FE5B6824BD8C30482)
                              • cleanup

                              Created / dropped Files

                              C:\ProgramData\images.exe
                              Process:C:\Users\user\Desktop\4ifN8B061M.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Size (bytes):874592
                              Entropy (8bit):4.285697737343411
                              Encrypted:false
                              MD5:94FF625253B3920FE5B6824BD8C30482
                              SHA1:BD2DC8A13C592360AC1E091B397C62AC8574D10A
                              SHA-256:E78E25771A0E710D9CC8B0EF306197AA8BC061D1A1D0282E19A6F3597C7A4E14
                              SHA-512:9BDEAA585730E2CA31F1966D15329A23BBDD6A1560C01C58558B51A21ADDF568DB89D41F9E0F7040393A690E0ACD74EA1EBF97059AAFADE637B864D7C55DAEDA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..T............f.......f.......f.......G...1...G.......f...4...........G.................!.............Rich....................PE..L...%N.].....................@......b........ ....@.................................#<....@....................................T....0...............:..`....@...;......8...............................@............ ..4............................text............................... ..`.rdata..B.... ......................@..@.data....w.......j..................@....rsrc........0......................@..@.reloc...;...@...<..................@..B........................................................................................................................................................................................................................................................................................................
                              C:\ProgramData\images.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\4ifN8B061M.exe
                              File Type:ASCII text, with CRLF line terminators
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview: [ZoneTransfer]....ZoneId=0

                              Domains and IPs

                              Contacted Domains

                              No contacted domains info

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s4ifN8B061M.exefalse
                              • 0%, Virustotal, Browse
                              • URL Reputation: safe
                              		low
                              http://crl.thawte.com/ThawteTimestampingCA.crl04ifN8B061M.exefalse
                                		high
                                http://ocsp.sectigo.com04ifN8B061M.exefalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/syohex/java-simple-mine-sweeperC:4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#4ifN8B061M.exefalse
                                  • 0%, Virustotal, Browse
                                  • URL Reputation: safe
                                  		low
                                  http://ocsp.thawte.com04ifN8B061M.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/syohex/java-simple-mine-sweeper4ifN8B061M.exe, images.exefalse
                                    		high
                                    https://sectigo.com/CPS0C4ifN8B061M.exefalse
                                    • URL Reputation: safe
                                    		low

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPCountryFlagASNASN NameMalicious
                                    45.133.183.138
                                    		Romania
                                    		9009unknownfalse

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):4.285697737343411
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:4ifN8B061M.exe
                                    File size:874592
                                    MD5:94ff625253b3920fe5b6824bd8c30482
                                    SHA1:bd2dc8a13c592360ac1e091b397c62ac8574d10a
                                    SHA256:e78e25771a0e710d9cc8b0ef306197aa8bc061d1a1d0282e19a6f3597c7a4e14
                                    SHA512:9bdeaa585730e2ca31f1966d15329a23bbdd6a1560c01c58558b51a21addf568db89d41f9e0f7040393a690e0acd74ea1ebf97059aafade637b864d7c55daeda
                                    SSDEEP:6144:yRhq8lbNztvIYqvNUKfW2Zb7xmuFKK2EikdRupxXqR4XFp:yRhq2vIYqvvW2lxRFKbuRupA4XFp
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..T............f.......f.......f.......G...1...G.......f...4...........G.................!.............Rich...................

                                    File Icon

                                    Icon Hash:aab2e3e39383aa00

                                    Static PE Info

                                    General

                                    Entrypoint:0x401462
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x5DDA4E25 [Sun Nov 24 09:32:21 2019 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:965b965b72f5b01661f49f8cafb546f0

                                    Authenticode Signature

                                    Signature Valid:true
                                    Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                    Signature Validation Error:The operation completed successfully
                                    Error Number:0
                                    Not Before, Not After
                                    • 11/6/2019 1:00:00 AM 7/25/2020 1:59:59 AM
                                    Subject Chain
                                    • CN="TOV, FAN-CHAI", O="TOV, FAN-CHAI", STREET="Ofis 25, Bud. 13 Vul.Klovsky Uzviz", L=Kyiv, S=Kyiv, PostalCode=01021, C=UA
                                    Version:3
                                    Thumbprint MD5:EFC8F3706CED61C8C3C0EF99A536ECD9
                                    Thumbprint SHA-1:E79EF654B3330B678FC3B4ADB6C2FB721455C4AD
                                    Thumbprint SHA-256:65D22885399551698B87F2DB1351A1A9B8214F6E80B6EF505A21993090D0AA26
                                    Serial:6CB82AC5FF6DE912CF66D257F1BC16F6

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F76ACEDD091h
                                    jmp 00007F76ACEDCC1Fh
                                    push ebp
                                    mov ebp, esp
                                    mov eax, dword ptr [0042B018h]
                                    and eax, 1Fh
                                    push 00000020h
                                    pop ecx
                                    sub ecx, eax
                                    mov eax, dword ptr [ebp+08h]
                                    ror eax, cl
                                    xor eax, dword ptr [0042B018h]
                                    pop ebp
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    mov eax, dword ptr [ebp+08h]
                                    push esi
                                    mov ecx, dword ptr [eax+3Ch]
                                    add ecx, eax
                                    movzx eax, word ptr [ecx+14h]
                                    lea edx, dword ptr [ecx+18h]
                                    add edx, eax
                                    movzx eax, word ptr [ecx+06h]
                                    imul esi, eax, 28h
                                    add esi, edx
                                    cmp edx, esi
                                    je 00007F76ACEDCDBBh
                                    mov ecx, dword ptr [ebp+0Ch]
                                    cmp ecx, dword ptr [edx+0Ch]
                                    jc 00007F76ACEDCDACh
                                    mov eax, dword ptr [edx+08h]
                                    add eax, dword ptr [edx+0Ch]
                                    cmp ecx, eax
                                    jc 00007F76ACEDCDAEh
                                    add edx, 28h
                                    cmp edx, esi
                                    jne 00007F76ACEDCD8Ch
                                    xor eax, eax
                                    pop esi
                                    pop ebp
                                    ret
                                    mov eax, edx
                                    jmp 00007F76ACEDCD9Bh
                                    push esi
                                    call 00007F76ACEDD524h
                                    test eax, eax
                                    je 00007F76ACEDCDC2h
                                    mov eax, dword ptr fs:[00000018h]
                                    mov esi, 004D18E4h
                                    mov edx, dword ptr [eax+04h]
                                    jmp 00007F76ACEDCDA6h
                                    cmp edx, eax
                                    je 00007F76ACEDCDB2h
                                    xor eax, eax
                                    mov ecx, edx
                                    lock cmpxchg dword ptr [esi], ecx
                                    test eax, eax
                                    jne 00007F76ACEDCD92h
                                    xor al, al
                                    pop esi
                                    ret
                                    mov al, 01h
                                    pop esi
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    cmp dword ptr [ebp+08h], 00000000h
                                    jne 00007F76ACEDCDA9h
                                    mov byte ptr [004D18E8h], 00000001h
                                    call 00007F76ACEDD34Ch
                                    call 00007F76ACEDD7B3h
                                    test al, al
                                    jne 00007F76ACEDCDA6h
                                    xor al, al
                                    pop ebp
                                    ret
                                    call 00007F76ACEE12C8h
                                    test al, al
                                    jne 00007F76ACEDCDACh

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x29bdc0x154.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd30000x1e0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xd3a000x1e60
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000x3bc0.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x294800x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x294b80x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x220000x234.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x202a50x20400False0.483852652616data6.49296073097IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x220000x89420x8a00False0.446359827899data5.34613683148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x2b0000xa77f00xa6a00False0.181593738278DOS executable (block device driver \277DN)3.15265096008IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0xd30000x1e00x200False0.52734375data4.70189840452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xd40000x3bc00x3c00False0.651692708333data6.57845878967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_MANIFEST0xd30600x17dXML 1.0 document textEnglishUnited States

                                    Imports

                                    DLLImport
                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW
                                    WS2_32.dllhtons, inet_addr, connect, socket, WSAStartup
                                    KERNEL32.dllFindNextFileW, FlushFileBuffers, FlushViewOfFile, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, HeapCreate, PeekNamedPipe, PostQueuedCompletionStatus, SetFileAttributesW, SetFilePointerEx, SetHandleInformation, SetInformationJobObject, Sleep, VirtualAlloc, VirtualAllocEx, FindFirstFileExW, VirtualFreeEx, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, GetPhysicallyInstalledSystemMemory, QueryPerformanceCounter, FindClose, GetFileType, DeleteFileW, CreateSemaphoreW, CreateEventW, CreateDirectoryW, ConnectNamedPipe, GetProcessHeap, HeapSize, HeapReAlloc, CloseHandle, CreateFileW, WriteConsoleW, FindFirstFileExA, LCMapStringW, VirtualFree, DecodePointer, GetStringTypeW, SetStdHandle, FindNextFileA, HeapFree, HeapAlloc, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetACP, GetCPInfo, GetOEMCP, IsValidCodePage, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW
                                    USER32.dllUnregisterClassW, CreateDesktopW, CloseWindowStation, CloseDesktop, DrawFrameControl
                                    ADVAPI32.dllEventUnregister, ConvertSidToStringSidW, GetTokenInformation, GetKernelObjectSecurity, GetAce, FreeSid, EventWrite, AccessCheck, EventRegister, EqualSid, DuplicateTokenEx, DuplicateToken
                                    SHELL32.dllSHGetKnownFolderPath, SHGetFolderPathW
                                    ADVPACK.dllRebootCheckOnInstallW
                                    dhcpcsvc.DLLMcastApiStartup
                                    gdiplus.dllGdipSetMatrixElements
                                    PROPSYS.dllPropVariantToInt32
                                    TAPI32.dlllineGetAddressCapsA
                                    TRAFFIC.dllTcQueryInterface
                                    VSSAPI.DLLCreateVssBackupComponentsInternal
                                    wevtapi.dllEvtGetPublisherMetadataProperty
                                    WINTRUST.dllCryptCATPersistStore
                                    XmlLite.dllCreateXmlWriterOutputWithEncodingCodePage

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 9, 2019 09:33:04.257024050 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:04.280456066 CET53491698.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:04.280795097 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:06.305363894 CET53491698.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:06.308520079 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:07.911324024 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:04.358297110 CET4917053192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:04.381735086 CET53491708.8.8.8192.168.1.16
                                    Dec 9, 2019 09:34:04.382009029 CET4917053192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:06.405953884 CET53491708.8.8.8192.168.1.16
                                    Dec 9, 2019 09:34:06.406146049 CET4917053192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:08.325558901 CET491715200192.168.1.1645.133.183.138
                                    Dec 9, 2019 09:34:11.324734926 CET491715200192.168.1.1645.133.183.138
                                    Dec 9, 2019 09:34:15.368417978 CET4917253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:15.391953945 CET53491728.8.8.8192.168.1.16
                                    Dec 9, 2019 09:34:15.392064095 CET4917253192.168.1.168.8.8.8

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 9, 2019 09:32:03.925107002 CET5703453192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:03.966739893 CET53570348.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:03.974251986 CET6306853192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:04.007591009 CET53630688.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:04.150613070 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:04.174222946 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:05.150875092 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:05.176254034 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:06.168806076 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:06.192899942 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:08.166450024 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:08.189980984 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:12.166918993 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:12.190679073 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:16.274024963 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:16.297591925 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:17.260957003 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:17.284552097 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:18.260999918 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:18.284573078 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:20.261075974 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:20.288018942 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:24.260509968 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:24.284087896 CET53521378.8.8.8192.168.1.16

                                    Code Manipulations

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: 4ifN8B061M.exe PID: 3380 Parent PID: 2596

                                    General

                                    Start time:09:31:45
                                    Start date:09/12/2019
                                    Path:C:\Users\user\Desktop\4ifN8B061M.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\Users\user\Desktop\4ifN8B061M.exe'
                                    Imagebase:0x12e0000
                                    File size:874592 bytes
                                    MD5 hash:94FF625253B3920FE5B6824BD8C30482
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: images.exe PID: 3596 Parent PID: 3380

                                    General

                                    Start time:09:32:44
                                    Start date:09/12/2019
                                    Path:C:\ProgramData\images.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\images.exe
                                    Imagebase:0xcc0000
                                    File size:874592 bytes
                                    MD5 hash:94FF625253B3920FE5B6824BD8C30482
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: images.exe PID: 3804 Parent PID: 1440

                                    General

                                    Start time:09:32:55
                                    Start date:09/12/2019
                                    Path:C:\ProgramData\images.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\ProgramData\images.exe'
                                    Imagebase:0xcc0000
                                    File size:874592 bytes
                                    MD5 hash:94FF625253B3920FE5B6824BD8C30482
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >