File name:	zNGjLCS.exe
Full analysis:	https://app.any.run/tasks/446af185-7652-4d8a-96dc-6e3e5fb7e933
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 14, 2018, 11:27:34
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	stealer evasion trojan megalodon
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	4E7A96BA38C85888DC95FD024C1DB577
SHA1:	B6B958B5A20303D3B39590102030D762C25B95EA
SHA256:	47CA9CD6BC95486A34DC9F1A28B6C9C9908B6E4644D80D16405981E96B729AB2
SSDEEP:	24576:vi8Db8+QUD+KIulQvUdfoQK1f7gVt9FUGN4:viSQMIuuU/E8Vt9TN4

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe	\|	Win32 Executable (generic) (4.9)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

OriginalFileName:	outwitter.exe
InternalName:	outwitter
ProductVersion:	3.02.0007
FileVersion:	3.02.0007
ProductName:	Diffareation
LegalTrademarks:	heddy6
LegalCopyright:	Fratched3
FileDescription:	oxtail9
CompanyName:	muskie
Comments:	Reprobance
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	3.2.0.7
FileVersionNumber:	3.2.0.7
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	3.2
OSVersion:	4
EntryPoint:	0x14d8
UninitializedDataSize:	-
InitializedDataSize:	24576
CodeSize:	2035712
LinkerVersion:	6
PEType:	PE32
TimeStamp:	1998:11:25 01:29:31+01:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	25-Nov-1998 00:29:31
Detected languages:	English - United States
Comments:	Reprobance
CompanyName:	muskie
FileDescription:	oxtail9
LegalCopyright:	Fratched3
LegalTrademarks:	heddy6
ProductName:	Diffareation
FileVersion:	3.02.0007
ProductVersion:	3.02.0007
InternalName:	outwitter
OriginalFilename:	outwitter.exe

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000B8

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	25-Nov-1998 00:29:31
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x001F012C	0x001F1000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	4.28588
.data	0x001F2000	0x00000A90	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
.rsrc	0x001F3000	0x00004A9A	0x00005000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.50954

Title	Entropy	Size	Codepage	Language	Type
1	3.31133	772	Unicode (UTF 16LE)	English - United States	RT_VERSION
30001	3.66348	1640	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30002	4.15753	744	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30003	2.97602	488	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30004	3.8257	296	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30005	4.50425	7112	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30006	4.90032	3752	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30007	5.38014	2216	Unicode (UTF 16LE)	UNKNOWN	RT_ICON
30008	3.68342	1384	Unicode (UTF 16LE)	UNKNOWN	RT_ICON

PID	CMD	Path	Indicators	Parent process
2380	"C:\Users\admin\Desktop\zNGjLCS.exe"	C:\Users\admin\Desktop\zNGjLCS.exe		explorer.exe
User: admin Company: muskie Integrity Level: MEDIUM Description: oxtail9 Exit code: 0 Version: 3.02.0007
2744	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs"	C:\Windows\SysWOW64\WScript.exe		zNGjLCS.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
3048	"C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe"	C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe	—	zNGjLCS.exe
User: admin Company: muskie Integrity Level: MEDIUM Description: oxtail9 Exit code: 0 Version: 3.02.0007
3052	C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe"	C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe		filename.exe
User: admin Company: muskie Integrity Level: MEDIUM Description: oxtail9 Version: 3.02.0007
856	"C:\Users\admin\AppData\Local\Temp\AUDIODG.EXE"	C:\Users\admin\AppData\Local\Temp\AUDIODG.EXE		filename.exe
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0
1988	"C:\Users\admin\AppData\Local\Temp\KEMISERVER BINJARALLAH.EXE"	C:\Users\admin\AppData\Local\Temp\KEMISERVER BINJARALLAH.EXE		filename.exe
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0
2460	"C:\Users\admin\AppData\Local\Temp\5e233001-362b-42cb-8fdc-e3ec73c1ffcb.exe" C:\Users\admin\AppData\Local\Temp\2dd1e722-61a3-4fb2-bbfa-45c9e64851a7.tmp	C:\Users\admin\AppData\Local\Temp\5e233001-362b-42cb-8fdc-e3ec73c1ffcb.exe		KEMISERVER BINJARALLAH.EXE
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0
2632	"C:\Users\admin\AppData\Local\Temp\90646f70-e54b-4eca-89c8-2bb9ff49ccd7.exe" C:\Users\admin\AppData\Local\Temp\f875e2e5-2a58-472b-acfa-a87555345df5.tmp	C:\Users\admin\AppData\Local\Temp\90646f70-e54b-4eca-89c8-2bb9ff49ccd7.exe		AUDIODG.EXE
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0
1912	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\faxcampus.rtf"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000

PID	Process	Filename		Type
1912	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR4432.tmp.cvr		—
		MD5:—	SHA256:—
1912	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9BA3B62C-C546-4583-9348-DD6812A5C007}.tmp		—
		MD5:—	SHA256:—
1912	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{489DA20F-B890-4FC7-81A8-9430B792A21E}.tmp		—
		MD5:—	SHA256:—
2380	zNGjLCS.exe	C:\Users\admin\AppData\Local\Temp\~DF78E44B618EA0E717.TMP		binary
		MD5:EBA06C0DB8FC383DDCA0A667DF3C2706	SHA256:AACE03A4670FBC76EBD73F93CE57A7242F613182A79115AA1AC5E342622854FE
1912	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:136F0F8979E2F018C24240D58081664C	SHA256:45DA4F4CAC9AA2319121D202B222765E4B9A4C2B7A39B9C004F1FB2F98F31971
3052	filename.exe	C:\Users\admin\AppData\Local\Temp\KEMISERVER BINJARALLAH.EXE		executable
		MD5:ABE9464DF1F179991406A33D2E250CC8	SHA256:A42689C40DA74EF116D9290B99EFC516A436044A6496134D98213C56C4FA0301
3052	filename.exe	C:\Users\admin\AppData\Local\Temp\AUDIODG.EXE		executable
		MD5:FFD86A4B0CE89322379F61C8B5B9608E	SHA256:81AE3119052A8E6E8283FA1A264BEECD89E13A5F0486367F28B9A3E8FB99A6E1
1988	KEMISERVER BINJARALLAH.EXE	C:\Users\admin\AppData\Roaming\outloook\outloook.exe		executable
		MD5:ABE9464DF1F179991406A33D2E250CC8	SHA256:A42689C40DA74EF116D9290B99EFC516A436044A6496134D98213C56C4FA0301
3048	filename.exe	C:\Users\admin\AppData\Local\Temp\~DFC56AE5B5F6D7CD77.TMP		binary
		MD5:EBA06C0DB8FC383DDCA0A667DF3C2706	SHA256:AACE03A4670FBC76EBD73F93CE57A7242F613182A79115AA1AC5E342622854FE
2380	zNGjLCS.exe	C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe		executable
		MD5:4E7A96BA38C85888DC95FD024C1DB577	SHA256:47CA9CD6BC95486A34DC9F1A28B6C9C9908B6E4644D80D16405981E96B729AB2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
856	AUDIODG.EXE	GET	200	52.204.60.216:80	http://checkip.amazonaws.com/	US	text	15 b	shared
1988	KEMISERVER BINJARALLAH.EXE	GET	200	52.204.60.216:80	http://checkip.amazonaws.com/	US	text	15 b	shared

PID	Process	IP	Domain	ASN	CN	Reputation
856	AUDIODG.EXE	50.87.144.76:587	gator3059.hostgator.com	Unified Layer	US	suspicious
1988	KEMISERVER BINJARALLAH.EXE	129.121.5.204:587	mail.binjarallah.com	Colo4, LLC	US	suspicious
1988	KEMISERVER BINJARALLAH.EXE	52.204.60.216:80	checkip.amazonaws.com	Amazon.com, Inc.	US	shared
856	AUDIODG.EXE	52.204.60.216:80	checkip.amazonaws.com	Amazon.com, Inc.	US	shared

Domain	IP	Reputation
gator3059.hostgator.com	50.87.144.76	suspicious
mail.binjarallah.com	129.121.5.204	suspicious
checkip.amazonaws.com	52.204.60.216 107.23.175.217 34.192.84.239 52.1.46.34 52.202.139.131 34.233.102.38	shared

PID	Process	Class	Message
1988	KEMISERVER BINJARALLAH.EXE	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
856	AUDIODG.EXE	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
1988	KEMISERVER BINJARALLAH.EXE	A Network Trojan was detected	SC SPYWARE Possible account leak via SMTP
856	AUDIODG.EXE	A Network Trojan was detected	SC SPYWARE Possible account leak via SMTP

General Info

zNGjLCS.exe

4E7A96BA38C85888DC95FD024C1DB577

B6B958B5A20303D3B39590102030D762C25B95EA

47CA9CD6BC95486A34DC9F1A28B6C9C9908B6E4644D80D16405981E96B729AB2

24576:vi8Db8+QUD+KIulQvUdfoQK1f7gVt9FUGN4:viSQMIuuU/E8Vt9TN4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Changes the autorun value in the registry

Actions looks like stealing of personal data

Stealing of credential data

MEGALODON was detected

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Application launched itself

Executes scripts

Starts itself from another location

Connects to SMTP port

Checks for external IP

Loads DLL from Mozilla Firefox

INFO

Reads the machine GUID from the registry

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings