CAPE

Triggered CAPE Tasks: Task #12820: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 16:42:02 2020-02-14 16:47:42 340 seconds Show Options Show Log
  • Info: The analysis hit the critical timeout, terminating.
procmemdump = 1
procdump = 1
route = inetsim
2020-02-14 17:42:14,015 [root] INFO: Date set to: 02-14-20, time set to: 16:42:14, timeout set to: 200
2020-02-14 17:42:14,078 [root] DEBUG: Starting analyzer from: C:\aoabqoxon
2020-02-14 17:42:14,078 [root] DEBUG: Storing results at: C:\SvujdcJnQf
2020-02-14 17:42:14,078 [root] DEBUG: Pipe server name: \\.\PIPE\ksCURsJ
2020-02-14 17:42:14,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 17:42:14,078 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 17:42:37,140 [root] DEBUG: Started auxiliary module Browser
2020-02-14 17:42:37,140 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 17:42:37,140 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 17:42:40,687 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 17:42:40,687 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 17:42:40,687 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 17:42:40,703 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 17:42:40,703 [root] DEBUG: Started auxiliary module Human
2020-02-14 17:42:40,717 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 17:42:40,717 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 17:42:40,717 [root] DEBUG: Started auxiliary module Usage
2020-02-14 17:42:40,717 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 17:42:40,717 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 17:42:42,750 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\COHXHLDhFlFDN.exe" with arguments "" with pid 2360
2020-02-14 17:42:44,108 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2020-02-14 17:42:44,125 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 17:42:44,125 [lib.api.process] INFO: 32-bit DLL to inject is C:\aoabqoxon\dll\RQRiIrDI.dll, loader C:\aoabqoxon\bin\OCpNGZw.exe
2020-02-14 17:42:44,250 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ksCURsJ.
2020-02-14 17:42:44,250 [root] DEBUG: Loader: Injecting process 2360 (thread 2224) with C:\aoabqoxon\dll\RQRiIrDI.dll.
2020-02-14 17:42:44,250 [root] DEBUG: Process image base: 0x00220000
2020-02-14 17:42:44,250 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\aoabqoxon\dll\RQRiIrDI.dll.
2020-02-14 17:42:44,250 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 17:42:44,250 [root] DEBUG: Successfully injected DLL C:\aoabqoxon\dll\RQRiIrDI.dll.
2020-02-14 17:42:44,250 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2360
2020-02-14 17:42:46,250 [lib.api.process] INFO: Successfully resumed process with pid 2360
2020-02-14 17:42:46,250 [root] INFO: Added new process to list with pid: 2360
2020-02-14 17:42:46,390 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 17:42:46,390 [root] DEBUG: Full process memory dumps enabled.
2020-02-14 17:42:46,390 [root] DEBUG: Process dumps enabled.
2020-02-14 17:42:46,578 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 17:42:46,578 [root] INFO: Disabling sleep skipping.
2020-02-14 17:42:46,592 [root] INFO: Disabling sleep skipping.
2020-02-14 17:42:46,592 [root] INFO: Disabling sleep skipping.
2020-02-14 17:42:46,592 [root] INFO: Disabling sleep skipping.
2020-02-14 17:42:46,592 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2360 at 0x6d650000, image base 0x220000, stack from 0x195000-0x1a0000
2020-02-14 17:42:46,592 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\COHXHLDhFlFDN.exe".
2020-02-14 17:42:46,592 [root] INFO: Monitor successfully loaded in process with pid 2360.
2020-02-14 17:42:46,687 [root] DEBUG: DLL loaded at 0x71AE0000: C:\Windows\system32\winmm (0x32000 bytes).
2020-02-14 17:42:47,108 [root] DEBUG: DLL loaded at 0x76190000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-14 17:42:47,108 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-14 17:42:47,108 [root] DEBUG: DLL loaded at 0x73F30000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2020-02-14 17:42:47,108 [root] DEBUG: DLL loaded at 0x756B0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-02-14 17:42:47,108 [root] DEBUG: DLL loaded at 0x75270000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-02-14 17:42:47,171 [root] DEBUG: set_caller_info: Adding region at 0x01650000 to caller regions list (ntdll::memcpy).
2020-02-14 17:42:47,187 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2360
2020-02-14 17:42:47,187 [root] DEBUG: GetHookCallerBase: thread 2224 (handle 0x0), return address 0x00228D47, allocation base 0x00220000.
2020-02-14 17:42:47,187 [root] DEBUG: DoProcessDump: Created dump file for full process memory dump: C:\SvujdcJnQf\memory\2360.dmp.
2020-02-14 17:42:47,187 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00220000.
2020-02-14 17:42:47,187 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00220000
2020-02-14 17:42:47,203 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 17:42:47,203 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00220000.
2020-02-14 17:42:47,233 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 17:42:47,296 [root] INFO: Added new CAPE file to list with path: C:\SvujdcJnQf\CAPE\2360_212012932873015622020
2020-02-14 17:42:47,296 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x195000.
2020-02-14 17:42:55,983 [root] DEBUG: DoProcessDump: Full process memory dump saved to file: C:\SvujdcJnQf\memory\2360.dmp.
2020-02-14 17:42:56,171 [root] ERROR: Traceback (most recent call last):
  File "C:\aoabqoxon\analyzer.py", line 744, in run
    proc_dump(file_path)
  File "C:\aoabqoxon\analyzer.py", line 258, in proc_dump
    log.warning("No metadata file for process dump at path \"%s\": %s", file_path.encode("utf-8", "replace"), e)
UnboundLocalError: local variable 'e' referenced before assignment
Traceback (most recent call last):
  File "C:\aoabqoxon\analyzer.py", line 744, in run
    proc_dump(file_path)
  File "C:\aoabqoxon\analyzer.py", line 258, in proc_dump
    log.warning("No metadata file for process dump at path \"%s\": %s", file_path.encode("utf-8", "replace"), e)
UnboundLocalError: local variable 'e' referenced before assignment
2020-02-14 17:46:06,717 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-02-14 17:46:06,717 [root] INFO: Created shutdown mutex.
2020-02-14 17:46:07,717 [lib.api.process] INFO: Terminate event set for process 2360

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-14 16:42:02 2020-02-14 16:47:40

File Details

File Name a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442.exe
File Size 1658880 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f2b9d1cb2c4b1cd11a8682755bcc52fa
SHA1 579884fad55207b54e4c2fe2644290211baec8b5
SHA256 a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442
SHA512 b047a4275f0fa7c0025945800acbffb5be1d327160a135c6ba8ff54352be603cbb47fff71f180ab1a915229778b7a883ed19e1d6a954ab82435913ed95c40752
CRC32 89CEFD79
Ssdeep 24576:darngxIJfX2+8mGrvs5pdUIPv3eAUW/Y8w9ejjERAjYrNFtI937sTR7R5NwrzD:da7gx2B81gdVXvfAnHRFtIl7k7RPwr
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2360 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 2360 trigged the Yara rule 'shellcode_stack_strings'
NtSetInformationThread: attempt to hide thread from debugger
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: winmm.dll/timeGetTime
DynamicLoader: ntdll.dll/NtOpenThread
DynamicLoader: winmm.dll/timeGetTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlAllocateHeap
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlAllocateHeap
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
Expresses interest in specific running processes
process: System
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: \x00 , entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00026200, virtual_size: 0x0004c000
unknown section: name: .rsrc , entropy: 0.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00001000
unknown section: name: .idata , entropy: 1.31, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00001000
unknown section: name: , entropy: 0.24, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x0025e000
unknown section: name: htusmqub, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0016d800, virtual_size: 0x0016e000
unknown section: name: ijybpcqb, entropy: 3.64, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00001000
The binary likely contains encrypted or compressed data.
section: name: \x00 , entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00026200, virtual_size: 0x0004c000
section: name: htusmqub, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0016d800, virtual_size: 0x0016e000
Checks for the presence of known windows from debuggers and forensic tools
Window: OLLYDBG
Window: GBDYLLO
Window: pediy06
Window: FilemonClass
Window: File Monitor - Sysinternals: www.sysinternals.com
Window: PROCMON_WINDOW_CLASS
Window: Process Monitor - Sysinternals: www.sysinternals.com
Window: RegmonClass
Window: Registry Monitor - Sysinternals: www.sysinternals.com
Window: 18467-41
Window: Regmonclass
Window: Filemonclass
The following process appear to have been packed with Themida: COHXHLDhFlFDN.exe
Checks for the presence of known devices from debuggers and forensic tools
Detects the presence of Wine emulator via registry key
File has been identified by 61 Antiviruses on VirusTotal as malicious
Bkav: W32.HfsAutoB.
MicroWorld-eScan: Trojan.GenericKD.41987817
McAfee: Trojan-NukeSped.a
Cylance: Unsafe
VIPRE: Backdoor.Win32.Ircbot.gen (v)
Sangfor: Malware
CrowdStrike: win/malicious_confidence_100% (W)
Alibaba: Trojan:Win32/BlueNoroff.89bf74c9
K7GW: Trojan ( 0040f4ef1 )
K7AntiVirus: Trojan ( 0040f4ef1 )
Invincea: heuristic
F-Prot: W32/Nukesped.B
Symantec: Trojan Horse
ESET-NOD32: Win32/NukeSped.CL
APEX: Malicious
Paloalto: generic.ml
ClamAV: Win.Trojan.Agent-7376505-0
GData: Trojan.GenericKD.41987817
Kaspersky: Trojan.Win32.BlueNoroff.f
BitDefender: Trojan.GenericKD.41987817
NANO-Antivirus: Trojan.Win32.BlueNoroff.ggbrdv
ViRobot: Trojan.Win32.S.Agent.1658880
Tencent: Win32.Trojan.Bluenoroff.Eddp
Endgame: malicious (high confidence)
Sophos: Troj/Agent-BCXR
Comodo: [email protected]#3pq9urfgrl2d6
F-Secure: Trojan.TR/Crypt.TPM.Gen
DrWeb: Trojan.Siggen8.55781
Zillya: Trojan.NukeSped.Win32.184
TrendMicro: TROJ_THCSIM.A
McAfee-GW-Edition: BehavesLike.Win32.Miuref.tc
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.f2b9d1cb2c4b1cd1
Emsisoft: Trojan.GenericKD.41987817 (B)
SentinelOne: DFI - Suspicious PE
Cyren: W32/Trojan.SXNN-1599
Jiangmin: Trojan.BlueNoroff.h
Webroot: W32.Trojan.Gen
Avira: TR/Crypt.TPM.Gen
eGambit: Unsafe.AI_Score_99%
Antiy-AVL: Trojan/Win32.BlueNoroff
Arcabit: Trojan.Generic.D280AEE9
ZoneAlarm: Trojan.Win32.BlueNoroff.f
Microsoft: Trojan:Win32/Thcsim
AhnLab-V3: Trojan/Win32.Xpacked.C2581424
Acronis: suspicious
VBA32: BScope.TrojanPSW.Predator
ALYac: Trojan.Nukesped.A
MAX: malware (ai score=100)
Ad-Aware: Trojan.GenericKD.41987817
Panda: Trj/CI.A
TrendMicro-HouseCall: TROJ_THCSIM.A
Rising: Trojan.NukeSped!8.3184 (CLOUD)
Ikarus: Trojan.Win32.NukeSped
MaxSecure: Trojan.Malware.300983.susgen
Fortinet: W32/BlueNoroff.CL!tr
BitDefenderTheta: Gen:NN.ZexaF.34090.LzWaau4D29h
AVG: Win32:Trojan-gen
Cybereason: malicious.ad5520
Avast: Win32:Trojan-gen
Qihoo-360: Win32/Trojan.06f
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a registry key
Anomalous binary characteristics
anomaly: Unprintable characters found in section name

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

\??\SICE
\??\SIWVID
\??\NTICE
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\ntdll.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
\??\SICE
\??\SIWVID
\??\NTICE
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\ntdll.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
\??\SICE
\??\SIWVID
\??\NTICE
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Wine
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
\xea\xa9\xb0\xc6\xbcEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
HKEY_LOCAL_MACHINE\Hardware\description\System
\xea\xa9\xb0\xc6\xbcEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
DisableUserModeCallbackFilter
\xea\xa9\xb0\xc6\xbcEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\xea\xa9\xb0\xc6\xbcEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.GetNativeSystemInfo
winmm.dll.timeGetTime
ntdll.dll.NtOpenThread
ntdll.dll.NtQuerySystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ntdll.dll.RtlAllocateHeap

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x0081b000
Reported Checksum 0x0019cc42
Actual Checksum 0x0019cc42
Minimum OS Version 5.1
Compile Time 2017-02-20 10:45:37
Import Hash baa93d47220682c04d92f7797d9224ce

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
\x00 0x00001000 0x0004c000 0x00026200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98
.rsrc 0x0004d000 0x00001000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0004e000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.31
0x0004f000 0x0025e000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.24
htusmqub 0x002ad000 0x0016e000 0x0016d800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.95
ijybpcqb 0x0041b000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.64

Imports

Library kernel32.dll:
0x44e033 lstrcpy
Library comctl32.dll:
0x44e03b InitCommonControls

.rsrc
.idata
htusmqub
ijybpcqb
"!?`gC
loo)pNs]`
lstrcpy
InitCommonControls
kernel32.dll
comctl32.dll
=,VTG
gH$;j
%".)k
e~Kx:
KG>)Jt
34Cy*
O/UX~d
B9'nhm
|SU?y/
r?'pxT
5X`(A/
7%"~T#
}}Y=z
J46t1p
c|h2(
]1K3v
G86~1P8
x&?If
AlPtJ;}
W3Z2X58d)dL
TX^Fp
Ft:0c
^lPO\
`t5I(
J`Stc
I{O}c
J.,pX
//8#R
T%pBR
Vh^F]
+0Zd/p#Z
(a }4
4wln*
'.)@zj}
oD0jq
^5uL
z9v/,
jU9kv
yH(%
zw8JM
[TIdL
_=z":
O5|v?
Djsd(
tBRhV
X<T5<
6n`x<W
F2R0S
8YIZoH
&M',z
a&Yh4
PKRin=
p(C"s
iMa8
yMvA
fF1L&
4#t.+d
>i t+
:$`JO
xLK7s
J7"1;Z3
IRZL:
n0!=eV
Tz;~_
FD:*.
L"|MWH^`;
NDH5Pt
7FH0/
jp$}+\
>K5V
sx,vq
%OE,8
D0>zJ&4
!Dcs(4
:wawQ
!2|.}o
0w.((
+#y,*H*D
I`<|^
? 1}7
kTLEx
@TvaX%Pk !
4BD|I=|
;3&o6R~
mPxJN
T:~<]<g>VHD
sn86p
46I)s
t^<js
A~6t>
yyLv`
kB(M[8r,
d&*[0
N? 8>JH
<CQ=f
T#r)<
!sr'Y
_6(Ap<
~yWXC
{vQk?
Ff6o0
(R'+{
--4{{us
1hp[{

Full Results

VirusTotal Signature
Bkav W32.HfsAutoB.
MicroWorld-eScan Trojan.GenericKD.41987817
CMC Clean
CAT-QuickHeal Clean
Qihoo-360 Win32/Trojan.06f
McAfee Trojan-NukeSped.a
Cylance Unsafe
Zillya Trojan.NukeSped.Win32.184
AegisLab Clean
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.41987817
K7GW Trojan ( 0040f4ef1 )
K7AntiVirus Trojan ( 0040f4ef1 )
TrendMicro TROJ_THCSIM.A
Baidu Clean
F-Prot W32/Nukesped.B
Symantec Trojan Horse
ESET-NOD32 Win32/NukeSped.CL
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Agent-7376505-0
Kaspersky Trojan.Win32.BlueNoroff.f
Alibaba Trojan:Win32/BlueNoroff.89bf74c9
NANO-Antivirus Trojan.Win32.BlueNoroff.ggbrdv
SUPERAntiSpyware Clean
Avast Win32:Trojan-gen
Rising Trojan.NukeSped!8.3184 (CLOUD)
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.41987817 (B)
Comodo [email protected]#3pq9urfgrl2d6
F-Secure Trojan.TR/Crypt.TPM.Gen
DrWeb Trojan.Siggen8.55781
VIPRE Backdoor.Win32.Ircbot.gen (v)
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Miuref.tc
Trapmine malicious.high.ml.score
FireEye Generic.mg.f2b9d1cb2c4b1cd1
Sophos Troj/Agent-BCXR
Ikarus Trojan.Win32.NukeSped
Cyren W32/Trojan.SXNN-1599
Jiangmin Trojan.BlueNoroff.h
Webroot W32.Trojan.Gen
Avira TR/Crypt.TPM.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan/Win32.BlueNoroff
Kingsoft Clean
Microsoft Trojan:Win32/Thcsim
Arcabit Trojan.Generic.D280AEE9
ViRobot Trojan.Win32.S.Agent.1658880
ZoneAlarm Trojan.Win32.BlueNoroff.f
Avast-Mobile Clean
GData Trojan.GenericKD.41987817
AhnLab-V3 Trojan/Win32.Xpacked.C2581424
Acronis suspicious
VBA32 BScope.TrojanPSW.Predator
ALYac Trojan.Nukesped.A
TACHYON Clean
Ad-Aware Trojan.GenericKD.41987817
Zoner Clean
TrendMicro-HouseCall TROJ_THCSIM.A
Tencent Win32.Trojan.Bluenoroff.Eddp
Yandex Clean
SentinelOne DFI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/BlueNoroff.CL!tr
BitDefenderTheta Gen:NN.ZexaF.34090.LzWaau4D29h
AVG Win32:Trojan-gen
Cybereason malicious.ad5520
Panda Trj/CI.A
MaxSecure Trojan.Malware.300983.susgen

Process Tree


COHXHLDhFlFDN.exe, PID: 2360, Parent PID: 3032
Full Path: C:\Users\Rebecca\AppData\Local\Temp\COHXHLDhFlFDN.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\COHXHLDhFlFDN.exe"

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.2 49169 192.0.2.123 443
192.168.1.2 49171 192.0.2.123 443

UDP

Source Source Port Destination Destination Port
192.168.1.2 49158 1.1.1.1 53
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 51997 1.1.1.1 53
192.168.1.2 58036 1.1.1.1 53
192.168.1.2 58416 1.1.1.1 53
192.168.1.2 59272 1.1.1.1 53
192.168.1.2 59508 1.1.1.1 53
192.168.1.2 61182 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-14 16:43:27.836 192.168.1.2 [VT] 49168 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-14 16:43:27.971 192.168.1.2 [VT] 49169 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-14 16:43:28.031 192.168.1.2 [VT] 49170 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-14 16:43:28.078 192.168.1.2 [VT] 49171 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.2 49168 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.2 49169 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.2 49170 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.2 49171 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name COHXHLDhFlFDN.exe
PID 2360
Dump Size 1658880 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\COHXHLDhFlFDN.exe
Type PE image: 32-bit executable
MD5 85b475a73965b1da7e438f2d00641740
SHA1 6482cc2e1ce79ac8adbec79429f44edda7861e71
SHA256 511691d985017d8a8bf7980232b419fe741324042a717ab70cb623a26d5ea6c5
CRC32 06F18C8B
Ssdeep 24576:GQmBsd5DgRbxp9Tp+ajFF7C9KO5GzVL3tHDypLo3Yi8iP1jjX+b:koDgRtTTjFhCbwzVL3RDyptU1Q
ClamAV None
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC.
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Dump Filename 511691d985017d8a8bf7980232b419fe741324042a717ab70cb623a26d5ea6c5
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted
Defense Evasion Discovery
  • T1045 - Software Packing
    • Signature - packer_themida
  • T1083 - File and Directory Discovery
    • Signature - antidbg_devices
  • T1057 - Process Discovery
    • Signature - antidbg_windows
  • T1012 - Query Registry
    • Signature - antivm_generic_bios

    Processing ( 7.503 seconds )

    • 5.041 Suricata
    • 0.98 Static
    • 0.59 VirusTotal
    • 0.298 peid
    • 0.177 CAPE
    • 0.11 NetworkAnalysis
    • 0.091 TargetInfo
    • 0.087 ProcDump
    • 0.055 BehaviorAnalysis
    • 0.047 Deduplicate
    • 0.017 Strings
    • 0.008 AnalysisInfo
    • 0.002 Debug

    Signatures ( 0.056 seconds )

    • 0.009 antiav_detectreg
    • 0.006 ransomware_files
    • 0.004 infostealer_ftp
    • 0.003 stealth_timeout
    • 0.003 antiav_detectfile
    • 0.003 infostealer_bitcoin
    • 0.003 ransomware_extensions
    • 0.002 NewtWire Behavior
    • 0.002 api_spamming
    • 0.002 persistence_autorun
    • 0.002 decoy_document
    • 0.002 infostealer_im
    • 0.001 tinba_behavior
    • 0.001 Doppelganging
    • 0.001 injection_runpe
    • 0.001 injection_createremotethread
    • 0.001 InjectionCreateRemoteThread
    • 0.001 InjectionProcessHollowing
    • 0.001 shifu_behavior
    • 0.001 antianalysis_detectfile
    • 0.001 antianalysis_detectreg
    • 0.001 antivm_vbox_files
    • 0.001 antivm_vbox_keys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 infostealer_mail
    • 0.001 masquerade_process_name

    Reporting ( 2.53 seconds )

    • 2.003 BinGraph
    • 0.211 MaecReport
    • 0.201 SubmitCAPE
    • 0.093 JsonDump
    • 0.022 MITRE_TTPS
    Task ID 12819
    Mongo ID 5e46cf39c3436de9e066741a
    Cuckoo release 1.3-CAPE
    Delete