b77b82fa...2607 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Trojan

gmmqacgpk.exe

Windows Exe (x86-32)

Created at 2019-07-22T00:24:00

...

Remarks (1/1)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

VMRay Threat Indicators (23 rules, 60 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 1 -
5/5
Reputation Known malicious file 1 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe" is a known malicious file.
    ...
4/5
Information Stealing Exhibits Spyware behavior 1 Spyware
  • Tries to read sensitive data of: SeaMonkey, Google Chrome, Mozilla Firefox, Opera, Yandex Browser, Internet Explorer / Edge.
    ...
    • VTI Actions
4/5
Injection Writes into the memory of another running process 1 -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe" modifies memory of "c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe".
    ...
4/5
Injection Modifies control flow of another process 2 -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe".
    ...
  • "c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe".
    ...
3/5
Device Monitors keyboard input 1 Keylogger
  • Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.
    ...
3/5
Network Reads network adapter information 1 -
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
2/5
Information Stealing Reads sensitive browser data 7 -
  • Trying to read sensitive data of web browser "Google Chrome" by file.
    ...
  • Trying to read sensitive data of web browser "Mozilla Firefox" by file.
    ...
  • Trying to read sensitive data of web browser "Opera" by file.
    ...
  • Trying to read sensitive data of web browser "Yandex Browser" by file.
    ...
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry.
    ...
  • Trying to read sensitive data of web browser "Comodo Dragon" by file.
    ...
  • Trying to read sensitive data of web browser "Maple Studio" by file.
    ...
2/5
Information Stealing Reads sensitive application data 7 -
  • Trying to read sensitive data of application "SeaMonkey" by file.
    ...
  • Trying to read sensitive data of application "Google Talk" by registry.
    ...
  • Trying to read sensitive data of application "Google Desktop" by registry.
    ...
  • Trying to read sensitive data of application "DynDNS" by file.
    ...
  • Trying to read sensitive data of application "Pidgin" by file.
    ...
  • Trying to read sensitive data of application "Internet Download Manager" by registry.
    ...
  • Trying to read sensitive data of application "jDownloader" by file.
    ...
2/5
Information Stealing Reads sensitive mail data 3 -
  • Trying to read sensitive data of mail application "Microsoft Outlook" by registry.
    ...
  • Trying to read sensitive data of mail application "IncrediMail" by registry.
    ...
  • Trying to read sensitive data of mail application "Windows Mail" by file.
    ...
2/5
Information Stealing Reads sensitive ftp data 4 -
  • Trying to read sensitive data of ftp application "CoreFTP" by file.
    ...
  • Trying to read sensitive data of ftp application "FileZilla" by file.
    ...
  • Trying to read sensitive data of ftp application "FlashFXP" by file.
    ...
  • Trying to read sensitive data of ftp application "Total Commander" by file.
    ...
1/5
Process Creates process with hidden window 1 -
  • The process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" starts with hidden window.
    ...
1/5
Process Reads from memory of another process 2 -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe" reads from "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe".
    ...
  • "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe" reads from "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe".
    ...
1/5
Process Creates a page with write and execute permissions 1 -
  • Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
    ...
1/5
Process Creates system object 1 -
  • Creates mutex with name "Global\.net clr networking".
    ...
1/5
Network Performs DNS request 2 -
1/5
Persistence Installs system startup script or application 1 -
  • Adds "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe" to Windows startup via registry.
    ...
1/5
Information Stealing Possibly does reconnaissance 18 -
  • Possibly trying to gather information about application "Mozilla Firefox" by file.
    ...
  • Possibly trying to gather information about application "Qualcomm Eudora" by registry.
    ...
  • Possibly trying to gather information about application "Mozilla Thunderbird" by file.
    ...
  • Possibly trying to gather information about application "Group Mail" by registry.
    ...
  • Possibly trying to gather information about application "MSN Messenger" by registry.
    ...
  • Possibly trying to gather information about application "Microsoft MessengerService" by registry.
    ...
  • Possibly trying to gather information about application "Yahoo Pager" by registry.
    ...
  • Possibly trying to gather information about application "Microsoft Identity Control" by registry.
    ...
  • Possibly trying to gather information about application "Windows Live Mail" by registry.
    ...
  • Possibly trying to gather information about application "CoreFTP" by file.
    ...
  • Possibly trying to gather information about application "DynDNS" by file.
    ...
  • Possibly trying to gather information about application "FileZilla" by file.
    ...
  • Possibly trying to gather information about application "FlashFXP" by file.
    ...
  • Possibly trying to gather information about application "Paltalk" by registry.
    ...
  • Possibly trying to gather information about application "Pidgin" by file.
    ...
  • Possibly trying to gather information about application "SmartFTP" by file.
    ...
  • Possibly trying to gather information about application "No-IP DUC" by registry.
    ...
  • Possibly trying to gather information about application "jDownloader" by file.
    ...
1/5
Network Connects to remote host 1 -
  • Outgoing TCP connection to host "46.166.182.114:80".
    ...
1/5
Network Connects to HTTP server 1 -
1/5
Static Unparsable sections in file 1 -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe.
    ...
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #117870
MD5 e4117e6974363cac8b37e5e3ff5d07a6 Copy to Clipboard
SHA1 74a02a421e029d24a1d2c692df28a90296d052d0 Copy to Clipboard
SHA256 b77b82fa96b676790b9a207d8208d90ace3a0922d5db5938c446cd22e9132607 Copy to Clipboard
SSDeep 12288:3qPSBEsVqSI0TjVMB2rdet1pEpWI8c8J:8eHVqSmUr0HipF8x Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Filename gmmqacgpk.exe
File Size 692.00 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-22 02:24 (UTC+2)
Analysis Duration 00:02:27
Number of Monitored Processes 7
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 1
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image