Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-10-04 04:23 (UTC+2)
VM Analysis Duration Time 00:02:12
Execution Successful True
Sample Filename 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
Command Line Parameters False
Prescript False
Number of Processes 15
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
98 / 100
VTI Database Version 2.6
VTI Rule Match Count 39
VTI Rule Type Default (PE, ...)
Tags
#malware
Remarks
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Critical The overall sleep time of all monitored processes was truncated from 20 minutes to 10 seconds to reveal dormant functionality.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa00 Analysis Target High (Elevated) 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe "C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"
#2 0xa20 Child Process High (Elevated) cih.exe "C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" cvn-nhc #1
#3 0xa30 Child Process High (Elevated) cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK #2
#4 0xa4c Child Process High (Elevated) regsvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" #3
#5 0xa6c Child Process High (Elevated) svchost.exe C:\Windows\system32\svchost.exe #4
#6 0xa90 Child Process High (Elevated) regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" #4
#7 0xa98 Child Process High (Elevated) regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" #4
#8 0xaa0 Child Process High (Elevated) regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" #4
#9 0x750 Autostart Medium cih.exe "C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc
#10 0x480 Child Process Medium cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO #9
#11 0x328 Child Process Medium regsvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" #10
#12 0x318 Child Process Medium svchost.exe C:\Windows\system32\svchost.exe #11
#13 0x520 Child Process Medium regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" #11
#14 0x514 Child Process Medium regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" #11
#15 0x36c Child Process Medium regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" #11
Sample Information
ID #19247
MD5 Hash Value 2090ff67346785ba32859de0065350c6
SHA1 Hash Value 045e46667befb09b91ff797bdee91e5ef43d2366
SHA256 Hash Value 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d
Filename 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
File Size 912.25 KB (934144 bytes)
File Type Windows Exe (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-09-28 17:24
Internet Explorer Version 8.0.7601.17514
Chrome Version 58.0.3029.110
Firefox Version 25.0
Flash Version 10.3.183.90
Java Version 7.0.450
VM Name win7_32_sp1
VM Architecture x86 32-bit PAE
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image