Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data
| VTI by Category
Try VMRay Analyzer
|
VTI Score
98 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 39 |
| VTI Rule Type | Default (PE, ...) |
|
Anti Analysis |
|
|
|
Try to detect debugger
|
|
|
Check via API "IsDebuggerPresent".
|
||
|
|
Delay execution
|
|
|
One thread sleeps more than 5 minutes.
|
||
|
|
Dynamic API usage
|
|
|
Resolve above average number of APIs.
|
||
|
|
Browser |
|
|
|
Read data related to saved browser credentials
|
|
|
Read saved credentials for "Google Chrome".
|
||
|
|
Read data related to browsing history
|
|
|
Read the browsing history for "Microsoft Internet Explorer".
|
||
|
|
Device |
|
|
|
Monitor keyboard input
|
|
|
Install system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.
|
||
|
|
File System |
|
|
|
Create many files
|
|
|
Create above average number of files.
|
||
|
|
Information Stealing |
|
|
|
Read browser data
|
|
|
Possibly trying to readout browser credentials.
|
||
|
|
Read system data
|
|
|
Readout data from clipboard.
|
||
|
|
Injection |
|
|
|
Write into memory of another process
|
|
|
"c:\users\eebsym5\appdata\local\temp\60484525\cih.exe" modifies memory of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" modifies memory of "c:\windows\system32\svchost.exe"
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" modifies memory of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
|
||
|
|
Modify control flow of another process
|
|
|
"c:\users\eebsym5\appdata\local\temp\60484525\cih.exe" alters context of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" alters context of "c:\windows\system32\svchost.exe"
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" alters context of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
|
||
|
|
Network |
|
|
|
Perform DNS request
|
|
|
Resolve host name "jlux123.no-ip.biz".
|
||
|
Resolve host name "jluxi.dynu.com".
|
||
|
|
Connect to remote host
|
|
|
Outgoing TCP connection to host "185.62.188.68:1991".
|
||
|
|
PE |
|
|
|
Drop PE file
|
|
|
Drop file "c:\users\eebsym5\appdata\local\temp\60484525\cih.exe".
|
||
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\eebsym5\appdata\local\temp\60484525\cih.exe".
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add "C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc" to windows startup via registry.
|
||
|
|
Process |
|
|
|
Create process with hidden window
|
|
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" starts with hidden window.
|
||
|
The process "C:\Windows\system32\svchost.exe" starts with hidden window.
|
||
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"" starts with hidden window.
|
||
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"" starts with hidden window.
|
||
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"" starts with hidden window.
|
||
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"" starts with hidden window.
|
||
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"" starts with hidden window.
|
||
|
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"" starts with hidden window.
|
||
|
|
Create a page with write and execute permissions
|
|
|
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
|
||
|
|
Create system object
|
|
|
Create mutex with name "34419-GRNPWA".
|
||
|
Create mutex with name "Mutex_RemWatchdog".
|
||
|
|
Read from memory of another process
|
|
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\system32\svchost.exe".
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"".
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"".
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"".
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"".
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"".
|
||
|
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"".
|
||
| - | OS | |
| - | Hide Tracks | |
| - | Kernel | |
| - | Masquerade | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
