Download PDF Report

Download PDF Report

DYNAMIC ANALYSIS REPORT #6812059 Classifications: Spyware Keylogger MALICIOUS Threat Names: Phoenix Verdict Reason: - Sample Type Windows Exe (x86-32) File Name 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe ID #2586838 MD5 23c6a9b7cacf900035cfac74aeae1c7f SHA1 b81b431eaafe067c8025609fa2240308c49266eb SHA256 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76 File Size 787.50 KB Report Created 2021-08-06 18:25 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 25 DYNAMIC ANALYSIS REPORT #6812059 OVERVIEW VMRay Threat Identifiers (21 rules, 47 matches) Score Category Operation Count Classification 5/5 YARA Malicious content matched by YARA rules 1 Keylogger, Spyware • Rule "PhoenixKeylogger" from ruleset "Malware" has matched on the function strings for (process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: FileZilla, Vivaldi, Opera, Pidgin, Chromium, Comodo Dragon, Torch, Kometa, Chrome Canary, 7Star, ... ...er, Orbitum, Epic Privacy Browser, Yandex Browser, Maple Studio, Uran, CentBrowser, Amigo, CocCoc, Chedot, Google Chrome, Sputnik. 2/5 Data Collection Reads sensitive mail data 1 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry. 2/5 Data Collection Reads sensitive browser data 20 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Yandex Browser" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Amigo" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Kometa" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Google Chrome" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "CocCoc" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Orbitum" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Vivaldi" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Chromium" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "CentBrowser" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Chedot" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Comodo Dragon" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Torch" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Opera" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Uran" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "7Star" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Chrome Canary" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Maple Studio" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Sputnik" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of web browser "Elements Browser" by file. 2/5 Data Collection Reads sensitive ftp data 1 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of ftp application "FileZilla" by file. 2/5 Data Collection Reads sensitive application data 1 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to read sensitive data of application "Pidgin" by file. 2/5 Anti Analysis Delays execution 1 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe has a thread which sleeps more than 5 minutes. 2/5 Task Scheduling Schedules task 1 - • Schedules task for command "C:\Users\RDhJ0CNFevzX\AppData\Roaming\wsBGdsFOBo.exe", to be triggered by Logon. X-Ray Vision for Malware - www.vmray.com 2 / 25 DYNAMIC ANALYSIS REPORT #6812059 Score Category Operation Count Classification 2/5 Network Connection Sets up server that accepts incoming connections 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe starts a TCP server listening on localhost port 49707. 2/5 Injection Writes into the memory of a process started from a created or modified executable 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe modifies memory of (process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe. 2/5 Injection Modifies control flow of a process started from a created or modified executable 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe alters context of (process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe. 1/5 Mutex Creates mutex 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe creates mutex with name "BTogRRWUWEqJITyOtXFYjG". 1/5 Hide Tracks Creates process with hidden window 2 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe starts (process #2) schtasks.exe with a hidden window. • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe starts (process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe with a hidden window. 1/5 Obfuscation Reads from memory of another process 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe reads from (process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Privilege Escalation Enables process privilege 2 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe enables process privilege "SeDebugPrivilege". • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe enables process privilege "SeDebugPrivilege". 1/5 Discovery Possibly does reconnaissance 2 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to gather information about application "FileZilla" by file. • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe tries to gather information about application "Pidgin" by file. 1/5 Network Connection Performs DNS request 3 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe resolves host name "checkip.dyndns.org" to IP "132.226.247.73". • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe resolves host name "freegeoip.app" to IP "172.67.188.154". • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe resolves host name "api.telegram.org" to IP "149.154.167.220". 1/5 Network Connection Connects to remote host 3 - • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe opens an outgoing TCP connection to host "132.226.247.73:80". • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe opens an outgoing TCP connection to host "172.67.188.154:443". • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe opens an outgoing TCP connection to host "149.154.167.220:443". 1/5 Execution Executes itself 1 - • (Process #1) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe executes a copy of the sample at C: \Users\RDhJ0CNFevzX\Desktop\53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe. 1/5 Discovery Checks external IP address 1 - X-Ray Vision for Malware - www.vmray.com 3 / 25 DYNAMIC ANALYSIS REPORT #6812059 Score Category Operation Count Classification • (Process #5) 53695f461f19fcb5440ac85f777de093824ca61c777ff1c8b77001bf7eff4a76.exe checks external IP by asking IP info service at "http://checkip.dyndns.org/". X-Ray Vision for Malware - www.vmray.com 4 / 25 DYNAMIC ANALYSIS REPORT #6812059 Mitre ATT&CK Matrix Privilege Defense Credential Lateral

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    25 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us