ac69e0f6...26b4 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware, Ransomware, Trojan, Dropper, Backdoor

killeryuga.exe

Windows Exe (x86-32)

Created at 2019-03-24T16:35:00

...

Remarks (2/3)

(0x2000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x200000e): The overall sleep time of all monitored processes was truncated from "1 minute, 40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

VMRay Threat Indicators (30 rules, 116 matches)

Severity Category Operation Classification
5/5
File System Known malicious file Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" is a known malicious file.
    ...
  • File "14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e" is a known malicious file.
    ...
  • File "5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d" is a known malicious file.
    ...
  • File "079f5422ec8e2d956f0533a2a1a62c0658453dbc2f1db0621f3b175ed2e46a21" is a known malicious file.
    ...
5/5
YARA YARA match Backdoor
  • Rule "Gh0stMiancha_1_0_0" from ruleset "Malware" has matched for "5.exe"
    ...
4/5
Network Modifies network configuration -
  • Modifies the host.conf file, probably to redirect network traffic.
    ...
4/5
Information Stealing Exhibits Spyware behavior Spyware
  • Tries to read sensitive data of multiple applications.
    ...
    • VTI Actions
4/5
Network Associated with known malicious/suspicious URLs -
  • URL "http://ymad.ug/tesptc/loadman/3.exe" is known as malicious URL.
    ...
  • URL "ymad.ug/1/index.php" is known as malicious URL.
    ...
  • URL "http://loot.ug/Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php?pid=AE2BD2A0D8075FA76A58D68C2A4634E3" is known as suspicious URL.
    ...
  • URL "loot.ug" is known as suspicious URL.
    ...
    • VTI Actions
3/5
Browser Reads data related to browser cookies -
  • Reads Cookies for "Microsoft Internet Explorer".
    ...
  • Accesses Cookies for "Microsoft Internet Explorer".
    ...
3/5
Information Stealing Reads cryptocurrency wallet locations -
3/5
File System Possibly drops ransom note files Ransomware
  • Possibly drops ransom note files (creates 42 instances of the file "_readme.txt" in different locations).
    ...
3/5
Anti Analysis Delays execution -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe", to be triggered by Time.
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
2/5
Information Stealing Reads sensitive browser data -
  • Trying to read sensitive data of web browser "Mozilla Firefox" by file.
    ...
  • Trying to read sensitive data of web browser "Comodo IceDragon" by file.
    ...
  • Trying to read sensitive data of web browser "Cyberfox" by file.
    ...
  • Trying to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
    ...
    • VTI Actions
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry.
    ...
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
    ...
2/5
Information Stealing Reads sensitive mail data -
  • Trying to read sensitive data of mail application "Microsoft Outlook" by registry.
    ...
2/5
Information Stealing Reads sensitive ftp data -
  • Trying to read sensitive data of ftp application "FileZilla" by file.
    ...
2/5
Information Stealing Reads sensitive application data -
  • Trying to read sensitive data of application "WinSCP" by registry.
    ...
  • Trying to read sensitive data of application "Pidgin" by file.
    ...
2/5
Static Contains known malicious embedded URLs -
  • URL "http://ymad.ug/tesptc/loadman/3.exe" is a known malicious URL.
    ...
    • VTI Actions
1/5
Persistence Installs system startup script or application -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart" to Windows startup via registry.
    ...
1/5
Process Creates process with hidden window -
  • The process "icacls" starts with hidden window.
    ...
  • The process "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" starts with hidden window.
    ...
  • The process "powershell" starts with hidden window.
    ...
  • The process "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" starts with hidden window.
    ...
1/5
Process Creates system object -
  • Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
    ...
  • Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
    ...
  • Creates mutex with name "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}".
    ...
1/5
File System Modifies operating system directory -
  • Modifies file "C:\Windows\System32\drivers\etc\hosts" in the OS directory.
    ...
1/5
Information Stealing Reads system data -
  • Reads the cryptographic machine GUID from registry.
    ...
1/5
Information Stealing Possibly does reconnaissance -
  • Possibly trying to gather information about application "Mozilla Firefox" by file.
    ...
  • Possibly trying to gather information about application "Comodo IceDragon" by file.
    ...
  • Possibly trying to gather information about application "Cyberfox" by file.
    ...
  • Possibly trying to gather information about application "FileZilla" by file.
    ...
  • Possibly trying to gather information about application "WinSCP" by registry.
    ...
  • Possibly trying to gather information about application "Pidgin" by file.
    ...
  • Possibly trying to gather information about application "Monero" by registry.
    ...
  • Possibly trying to gather information about application "Bitcoin-Qt" by registry.
    ...
1/5
File System Creates an unusually large number of files -
1/5
Process Overwrites code -
1/5
Network Downloads file -
  • Downloads file via http from "http://loot.ug/Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php?pid=AE2BD2A0D8075FA76A58D68C2A4634E3".
    ...
1/5
Network Connects to HTTP server -
  • URL "http://loot.ug/Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php?pid=AE2BD2A0D8075FA76A58D68C2A4634E3".
    ...
  • URL "http://ymad.ug/tesptc/loadman/updatewin1.exe".
    ...
  • URL "http://ymad.ug/tesptc/loadman/updatewin2.exe".
    ...
  • URL "http://ymad.ug/tesptc/loadman/updatewin.exe".
    ...
1/5
PE The PE file was created with a packer -
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" is packed with "UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser".
    ...
1/5
PE Drops PE file Dropper
1/5
Process Process crashed -
  • Unmonitored Process "c:\program files (x86)\windows media player\pregnancy-infection-derby.exe" crashed.
    ...
    • VTI Actions
1/5
Static Contains known suspicious embedded URLs -
  • URL "http://loot.ug/Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php?pid=AE2BD2A0D8075FA76A58D68C2A4634E3" is a known suspicious URL.
    ...
    • VTI Actions
0/5
Process Enumerates running processes -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #526802
MD5 55b42589931331c2929847c78d0933d5 Copy to Clipboard
SHA1 904940b9ab5442595f75f6d6dfe46832569bc234 Copy to Clipboard
SHA256 ac69e0f6c8a697982a4897607ccd4def633354f6336a68985d48ae78920e26b4 Copy to Clipboard
SSDeep 6144:CcygBt56u4UqjIC6ibJd9mke7R68W55C0aPCUN8VOuMua6oIHCKvFXT:3ygP5bq0C3JKJR68m5C76suMKoIH9XT Copy to Clipboard
ImpHash c0f45c74630c4b4b588aed07e009ac3e Copy to Clipboard
Filename killeryuga.exe
File Size 345.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-03-24 17:35 (UTC+1)
Analysis Duration 00:04:34
Number of Monitored Processes 17
Execution Successful True
Reputation Enabled True
WHOIS Enabled True
YARA Enabled True
Number of YARA Matches 11
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image