Analysis
-
max time kernel
28s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
31-12-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
yohuab.exe
Resource
win7-20221111-en
windows7-x64
7 signatures
300 seconds
General
-
Target
yohuab.exe
-
Size
1.2MB
-
MD5
db8a8e8b37240e9b989d8331afa38df9
-
SHA1
1ddd9e5ca937a9daa474997025778e4676f94a2b
-
SHA256
e4ae6708cd1d74b95175a022d6efcb86fe1fe058f5b611f8a8dec0fc56ec0271
-
SHA512
fafba2f9c3e55ab8ab29acf5c7bb87bb54d6d40a87b815a7fbbe60609da2ccdf6f91279a36b28987047450a3fa39413166a7ac4f3ca1774770af617e4e6d4813
-
SSDEEP
12288:l762TWGnujqU0z0gIlGYTbRliQHaUVPgCwUyzcdqPtoDC5n0I:l762mqtzlIlRZ6UNgC70P+Dm0I
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2000-55-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2000-55-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
yohuab.exedescription ioc process File opened (read-only) \??\B: yohuab.exe File opened (read-only) \??\F: yohuab.exe File opened (read-only) \??\H: yohuab.exe File opened (read-only) \??\T: yohuab.exe File opened (read-only) \??\Y: yohuab.exe File opened (read-only) \??\Z: yohuab.exe File opened (read-only) \??\I: yohuab.exe File opened (read-only) \??\P: yohuab.exe File opened (read-only) \??\X: yohuab.exe File opened (read-only) \??\U: yohuab.exe File opened (read-only) \??\J: yohuab.exe File opened (read-only) \??\K: yohuab.exe File opened (read-only) \??\L: yohuab.exe File opened (read-only) \??\M: yohuab.exe File opened (read-only) \??\O: yohuab.exe File opened (read-only) \??\R: yohuab.exe File opened (read-only) \??\S: yohuab.exe File opened (read-only) \??\W: yohuab.exe File opened (read-only) \??\E: yohuab.exe File opened (read-only) \??\G: yohuab.exe File opened (read-only) \??\N: yohuab.exe File opened (read-only) \??\Q: yohuab.exe File opened (read-only) \??\V: yohuab.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
yohuab.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 yohuab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz yohuab.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
yohuab.exepid process 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe 2000 yohuab.exe