Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data | VTI by Score
Try VMRay Analyzer
VTI Information
VTI Score
98 / 100
VTI Database Version 2.6
VTI Rule Match Count 39
VTI Rule Type Default (PE, ...)
Detected Threats
Arrow Information Stealing Read browser data
Possibly trying to readout browser credentials.
Arrow Injection Write into memory of another process
"c:\users\eebsym5\appdata\local\temp\60484525\cih.exe" modifies memory of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" modifies memory of "c:\windows\system32\svchost.exe"
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" modifies memory of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
Arrow Injection Modify control flow of another process
"c:\users\eebsym5\appdata\local\temp\60484525\cih.exe" alters context of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" alters context of "c:\windows\system32\svchost.exe"
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" alters context of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
Arrow Device Monitor keyboard input
Install system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.
Arrow Browser Read data related to saved browser credentials
Read saved credentials for "Google Chrome".
Arrow Browser Read data related to browsing history
Read the browsing history for "Microsoft Internet Explorer".
Arrow Anti Analysis Try to detect debugger
Check via API "IsDebuggerPresent".
Arrow Persistence Install system startup script or application
Add "C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc" to windows startup via registry.
Arrow Process Create process with hidden window
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" starts with hidden window.
The process "C:\Windows\system32\svchost.exe" starts with hidden window.
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"" starts with hidden window.
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"" starts with hidden window.
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"" starts with hidden window.
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"" starts with hidden window.
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"" starts with hidden window.
The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"" starts with hidden window.
Arrow Process Create a page with write and execute permissions
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow Process Create system object
Create mutex with name "34419-GRNPWA".
Create mutex with name "Mutex_RemWatchdog".
Arrow Anti Analysis Delay execution
One thread sleeps more than 5 minutes.
Arrow Network Perform DNS request
Resolve host name "jlux123.no-ip.biz".
Resolve host name "jluxi.dynu.com".
Arrow Process Read from memory of another process
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\system32\svchost.exe".
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"".
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"".
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"".
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"".
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"".
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"".
Arrow Information Stealing Read system data
Readout data from clipboard.
Arrow Anti Analysis Dynamic API usage
Resolve above average number of APIs.
Arrow File System Create many files
Create above average number of files.
Arrow Network Connect to remote host
Outgoing TCP connection to host "185.62.188.68:1991".
Arrow PE Drop PE file
Drop file "c:\users\eebsym5\appdata\local\temp\60484525\cih.exe".
Arrow PE Execute dropped PE file
Execute dropped file "c:\users\eebsym5\appdata\local\temp\60484525\cih.exe".
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image