VMRay Analyzer Report for Sample #1010245
VMRay Analyzer
3.2.2
URI
raw.githubusercontent.com
Resolved_To
Address
151.101.112.133
URI
github.map.fastly.net
Resolved_To
URI
u7320947p3.ha004.t.justns.ru
Resolved_To
Address
185.22.155.51
Process
1
4436
feelmebq987g92.exe
1376
feelmebq987g92.exe
"C:\Users\FD1HVy\Desktop\FeeLmebq987g92.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\feelmebq987g92.exe
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Mutex
1135468555
Mutex
1135468555
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE
EnableLUA
WinRegistryKey
SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
HKEY_LOCAL_MACHINE
DriverDesc
WinRegistryKey
Hardware\description\System
HKEY_LOCAL_MACHINE
SystemBiosVersion
VideoBiosVersion
WinRegistryKey
HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Valve\Steam
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
Analyzed Sample #1010245
Malware Artifacts
1010245
Sample-ID: #1010245
Job-ID: #2826274
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 10 Redstone 2 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1010245
Submission-ID: #4530605
51e917806f84d3035b2d94cb3701b07ec47b3dc07a5b3e4dd38a5c552482a8bbexe
MD5
dc1f1308759847a3e7161f284431cc5b
SHA1
7eec4c3e46e3c39e21d0bec2897ce3da261310f9
SHA256
51e917806f84d3035b2d94cb3701b07ec47b3dc07a5b3e4dd38a5c552482a8bb
Opened_By
Metadata of Analysis for Job-ID #2826274
False
All processes terminated
True
125.379
NQDPDE
win10_64_rs2
x86 64-bit
Windows 10 Redstone 2
10.0.15063.540 (f6f48955-5489-4b24-b4df-942361f0730d)
FD1HVy
NQDPDE
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "CheckRemoteDebuggerPresent".
Tries to detect debugger
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_evade_debugger_by_nt_set_information_thread
Hides Thread via API "NtSetInformationThread".
Tries to evade debugger
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "NtQueryInformationProcess".
Tries to detect debugger
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_window
Searches for the window class "FilemonClass" that is related to a forensic tool.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_window
Searches for the window class "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_window
Searches for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_window
Searches for the window class "RegmonClass" that is related to a forensic tool.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_window
Searches for the window class "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_window
Searches for the window class "18467-41" that is related to a forensic tool.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_generic_vm_by_registry
Reads out system information, commonly used to detect "VirtualBox" via registry. (Key is "HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__").
Tries to detect virtual machine
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "1135468555".
Creates mutex
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_generic_vm_by_file
Tries to detect "VirtualBox" via file "c:\windows\system32\vboxservice.exe".
Tries to detect virtual machine
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Tries to gather information about application "Mozilla Firefox" by registry.
Possibly does reconnaissance
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Tries to gather information about application "Mozilla Firefox" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "FileZilla" by file.
Reads sensitive ftp data
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Tries to gather information about application "FileZilla" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_file
Trying to read sensitive data of application "Pidgin" by file.
Reads sensitive application data
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Tries to gather information about application "Pidgin" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Google Chrome" by file.
Reads sensitive browser data
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_vaulted_ie_creds_by_api
Trying to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
Reads sensitive browser data
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Tries to gather information about application "Steam" by registry.
Possibly does reconnaissance
Discovery
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Gen:Variant.Ursu.895492".
Malicious content was detected by heuristic scan
Network Connection
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "raw.githubusercontent.com/fkarelli/fjrusbftnf/master/nyun.txt".
Connects to HTTP server
Network Connection
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "u7320947p3.ha004.t.justns.ru/collect.php".
Connects to HTTP server
Data Collection
VTI rule match with VTI rule score 4/5
vmray_meta_classify_spyware_for_excessive_infosteal
Tries to read sensitive data of: Pidgin, Internet Explorer, FileZilla, Google Chrome.
Exhibits Spyware behavior