Automated Malware Analysis Report for RFQ.Exe

Automated Malware Analysis Report for RFQ.Exe

ID: 295709 Sample Name: RFQ.exe Cookbook: default.jbs Time: 11:10:56 Date: 09/10/2020 Version: 30.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report RFQ.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Yara Overview 5 Memory Dumps 5 Unpacked PEs 6 Sigma Overview 6 Signature Overview 6 AV Detection: 6 Networking: 6 System Summary: 6 Data Obfuscation: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Stealing of Sensitive Information: 7 Remote Access Functionality: 7 Mitre Att&ck Matrix 7 Behavior Graph 8 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 11 Contacted Domains 11 Contacted URLs 11 URLs from Memory and Binaries 11 Contacted IPs 14 Public 14 General Information 14 Simulations 16 Behavior and APIs 16 Joe Sandbox View / Context 16 IPs 16 Domains 16 ASN 17 JA3 Fingerprints 17 Dropped Files 17 Created / dropped Files 17 Static File Info 18 General 18 File Icon 19 Static PE Info 19 General 19 Entrypoint Preview 19 Data Directories 21 Sections 21 Copyright null 2020 Page 2 of 34 Resources 21 Imports 21 Version Infos 21 Network Behavior 22 Network Port Distribution 22 TCP Packets 22 UDP Packets 22 DNS Queries 23 DNS Answers 23 HTTP Request Dependency Graph 24 HTTP Packets 24 Code Manipulations 25 Statistics 25 Behavior 25 System Behavior 25 Analysis Process: RFQ.exe PID: 3148 Parent PID: 5684 25 General 25 File Activities 26 File Created 26 File Read 26 Registry Activities 27 Key Created 27 Analysis Process: powershell.exe PID: 5284 Parent PID: 3148 27 General 27 File Activities 28 File Created 28 File Deleted 28 File Written 28 File Read 30 Analysis Process: conhost.exe PID: 6180 Parent PID: 5284 33 General 33 Disassembly 33 Code Analysis 33 Copyright null 2020 Page 3 of 34 Analysis Report RFQ.exe Overview General Information Detection Signatures Classification Sample RFQ.exe Name: Maallliiicciiioouuss ssaampplllee ddeettteeccttteedd (((ttthhrrroouugghh … Analysis ID: 295709 Muaulllttiticii AiAoVuV s SS sccaaamnnnpneleerrr ddeettteecctttieiioodnn ( fftfohorrr o ssuugbbhm … MD5: e483f3e062560f3… YMYaaurrrlatai dAdeeVttte eScccttteaednd n AAennrt ttidiiVVeMte__c33tion for subm SHA1: 29be5983a4575f2… YYaarrraa ddeettteeccttteedd MAnaatssiVssLMLoo_gg3ggeerrr RRAATT SHA256: 2d9767641256c4… ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooMddaees ccsooLnnotttgaagiiinnessr pRpooAttteTenntttiiiaa… Tags: exe A.ANddEddTss asa o dduiiirrrececectt tocororryyd eex xcccolllunustsaiiiooinns tt topo o Wteiiinndtdioao… Most interesting Screenshot: MAdaadccshh iiiann eed iLLreecaatrrronnriiiynn gge xddceeltutteescciotttiiionon nt o fffo oWrrr sisnaadmopp… Maaycy h ccihnheec cLkke tttahhreen ioonnnglll iiindnee t IeIIPPc t aiaoddndd rfrreoesrs ss a oomfff …p MassLogger RAT QMuaueyerr riciieehsse scseken ntshsiieitttii ivvoeen lvviniiiddeee IooP d daeedvvdiiiccree s iiinsn fffoofrrr m… Score: 100 Range: 0 - 100 TQTrrruiiieessr i tettoos ddseetttneesccittt i svsaean nvddidbbeoooxxe edsse avanincdde oointtthfhoeerrrrm… Whitelisted: false TTrrriiieess tttoo hdhaearrtrvevecests ttst aanndd b ssotttexeaealsll b barrrnoodww sosetehrrr e iiinrn… Confidence: 100% TTrrriiieess tttoo shsttateeraavllel Msta aaiiillln ccdrrr eesddteeannltt tiibiaarlllsos w (((vvsiiieaar f ffiiilnll… YTYarairerraas ddtoee tttseetcectttaeeld dM CCaooils scttturuerrrada e AAnsstsisaeelms (bbvlllyiya L Lfoiol… AYAVaVr papr rrdooecceteesscsst e ssdtttrr riiCinngogss t fuffooruaun nAdds ((s(ooeffftmtteenbn l yuu ssLeeo… CAChVhe epccrkkossc ieiifff s AAsn nstttiitivrviiinrrruugss/// AAfonnutttiinissdpp yy(wowfataerrrene// /FuFisiirrree… CChheecckkss iiifff ttAthhneet icvcuiurrrurrrrese/nnAttt n pptrirrsoopccyeewsssas riiises / bFbeieriieinn… CCohonenttctaakiiinsn ssif lllotohnnegg c ssulllerereeppnsst p(((>>ro==c 3e3 s msi iinins))) bein CCrroreenaattatteeinss s aa l oDDniiirrgree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo… CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo… DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… HFHoTTuTTnPPd G aE EhTTig ohorr r n PPuOmSSbTTe r ww oiiittfth hWoouuinttt d aao uwuss e/e rrUr …s IIHIPPT aaTddPdd rrGreeEsssTs ssoeere ePnnO iiinnS cTco ownnnintheeocctuttiiioto nan wuwsiiitttehhr oo… MIPaa ayyd ssdlllereeeespps ( ((seeevveaanssi iivivnee c lllooonopnpses))c) tttoio nhh iiinwndditeherr r o … Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur… PMPEEo n fffiiilltleeo rccsoo cnnetttaartiiinansisn s srttetrrraganinsggtreey rrrkeeessyoosuu rr/rc cveeasslu QPEuue efrrirliiiee ssc ossenentnassiiniitttisiivv ese t prparrronocgcees srsseoosrrro iiiunnrfffocoerrrms aa… Quueerrriiieess ttsthheeen pspirrrtoiovddeuu cpctrtt o IIIDcDe oosffsf Wori iininnddfoowrwmssa Quueerrriiieess ttthhee vpvoroollluudmuceet iiiInnDfffo oorrrmf Waatttiiinioodnno (((wnnasam… SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … YSYaarrmraa p sslieiigg nfnialaettt uuisrrre ed miffaeatrttcechnht than original Yara signature match Copyright null 2020 Page 4 of 34 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Startup System is w10x64 RFQ.exe (PID: 3148 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: E483F3E062560F3BFC1E1B6BF258AF69) powershell.exe (PID: 5284 cmdline: 'powershell' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup Malware Configuration No configs have been found Yara Overview Memory Dumps Source Rule Description Author Strings 00000000.00000002.503999630.0000000004FE Quasar_RAT_1 Detects Quasar Florian Roth 0xbcd48:$op1: 04 1E FE 02 04 16 FE 01 60 B000.00000004.00000001.sdmp RAT 0xbcc0b:$op2: 00 17 03 1F 20 17 19 15 28 0xbd574:$op3: 00 04 03 69 91 1B 40 0xbe7a1:$op3: 00 04 03 69 91 1B 40 Copyright null 2020 Page 5 of 34 Source Rule Description Author Strings 00000000.00000002.503999630.0000000004FE JoeSecurity_MassLogger Yara detected Joe Security B000.00000004.00000001.sdmp MassLogger RAT 00000000.00000002.509144159.0000000007FB Quasar_RAT_1 Detects Quasar Florian Roth 0xa00:$op1: 04 1E FE 02 04 16 FE 01 60 0000.00000004.00000001.sdmp RAT 0x8c3:$op2: 00 17 03 1F 20 17 19 15 28 0x122c:$op3: 00 04 03 69 91 1B 40 0x2459:$op3: 00 04 03 69 91 1B 40 00000000.00000002.509144159.0000000007FB JoeSecurity_MassLogger Yara detected Joe Security 0000.00000004.00000001.sdmp MassLogger RAT Process Memory Space: RFQ.exe PID: 3148 JoeSecurity_AntiVM_3 Yara detected Joe Security AntiVM_3 Click to see the 2 entries Unpacked PEs Source Rule Description Author Strings 0.2.RFQ.exe.7fb0000.5.unpack JoeSecurity_MassLogger Yara detected Joe Security MassLogger RAT 0.2.RFQ.exe.7fb0000.5.raw.unpack Quasar_RAT_1 Detects Quasar Florian Roth 0xa00:$op1: 04 1E FE 02 04 16 FE 01 60 RAT 0x8c3:$op2: 00 17 03 1F 20 17 19 15 28 0x122c:$op3: 00 04 03 69 91 1B 40 0x2459:$op3: 00 04 03 69 91 1B 40 0.2.RFQ.exe.7fb0000.5.raw.unpack JoeSecurity_MassLogger Yara detected Joe Security MassLogger RAT Sigma Overview No Sigma rule has matched Signature Overview • AV Detection • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Stealing of Sensitive Information • Remote Access Functionality Click to jump to signature section AV Detection: Multi AV Scanner detection for submitted file Machine Learning detection for sample Networking: May check the online IP address of the machine System Summary: Malicious sample detected (through community Yara rule) Copyright null 2020 Page 6 of 34 Data Obfuscation: .NET source code contains potential unpacker Yara detected Costura Assembly Loader Malware Analysis System Evasion: Yara detected AntiVM_3 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) HIPS / PFW / Operating System Protection Evasion: Adds a directory exclusion to Windows Defender Stealing of Sensitive Information: Yara detected MassLogger RAT Tries to harvest and steal browser information (history, passwords, etc) Tries to steal Mail credentials (via file access) Remote Access Functionality: Yara detected MassLogger RAT Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Path Process Masquerading

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    34 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us