Edit tour
Windows
Analysis Report
Metamask_setup.exe
Overview
General Information
| Sample name: | Metamask_setup.exe |
| Analysis ID: | 1379472 |
| MD5: | 618f137baf526f754d3ee3885acb9c04 |
| SHA1: | a7f29acee8f33eee1b569fc992bdbbe2f413042c |
| SHA256: | 512ec746b8318aa67bb11aa498a94d0e9848c241e7296c46757dcf1997e28be4 |
| Infos: |  |
 | |
Detection
Meduza Stealer
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Meduza Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Program does not show much activity (idle)
Classification
- System is w10x64
Metamask_setup.exe (PID: 7064 cmdline: C:\Users\u ser\Deskto p\Metamask _setup.exe MD5: 618F137BAF526F754D3EE3885ACB9C04)
- cleanup
{"C2 url": "77.105.147.171:15666"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6DF0D308C | |
| Source: | Code function: | 0_2_00007FF6DF0D2FDC | |
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF6DF0896F0 | |
| Source: | Code function: | 0_2_00007FF6DF09F110 | |
| Source: | Code function: | 0_2_00007FF6DF075F00 | |
| Source: | Code function: | 0_2_00007FF6DF0B0874 | |
| Source: | Code function: | 0_2_00007FF6DF0A8090 | |
| Source: | Code function: | 0_2_00007FF6DF0BD488 | |
| Source: | Code function: | 0_2_00007FF6DF0D308C | |
| Source: | Code function: | 0_2_00007FF6DF0510E0 | |
| Source: | Code function: | 0_2_00007FF6DF0B6110 | |
| Source: | Code function: | 0_2_00007FF6DF0AB510 | |
| Source: | Code function: | 0_2_00007FF6DF0B036C | |
| Source: | Code function: | 0_2_00007FF6DF0D4F90 | |
| Source: | Code function: | 0_2_00007FF6DF080790 | |
| Source: | Code function: | 0_2_00007FF6DF0AF7A0 | |
| Source: | Code function: | 0_2_00007FF6DF0A83A0 | |
| Source: | Code function: | 0_2_00007FF6DF0BBF9C | |
| Source: | Code function: | 0_2_00007FF6DF0C7830 | |
| Source: | Code function: | 0_2_00007FF6DF091A80 | |
| Source: | Code function: | 0_2_00007FF6DF0A3680 | |
| Source: | Code function: | 0_2_00007FF6DF075AD0 | |
| Source: | Code function: | 0_2_00007FF6DF0896F0 | |
| Source: | Code function: | 0_2_00007FF6DF0D6EF4 | |
| Source: | Code function: | 0_2_00007FF6DF0BBB08 | |
| Source: | Code function: | 0_2_00007FF6DF0B8D50 | |
| Source: | Code function: | 0_2_00007FF6DF0AD590 | |
| Source: | Code function: | 0_2_00007FF6DF0A7180 | |
| Source: | Code function: | 0_2_00007FF6DF0D69A8 | |
| Source: | Code function: | 0_2_00007FF6DF0AF9A4 | |
| Source: | Code function: | 0_2_00007FF6DF0AF59C | |
| Source: | Code function: | 0_2_00007FF6DF0959C0 | |
| Source: | Code function: | 0_2_00007FF6DF0BB200 | |
| Source: | Code function: | 0_2_00007FF6DF0BC61C | |
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6DF0D308C | |
| Source: | Code function: | 0_2_00007FF6DF0D2FDC | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF6DF0AE280 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6DF0CCE58 | |
| Source: | Code function: | 0_2_00007FF6DF0AE280 | |
| Source: | Code function: | 0_2_00007FF6DF0C70C0 | |
| Source: | Code function: | 0_2_00007FF6DF0BA4DC | |
| Source: | Code function: | 0_2_00007FF6DF0B9F9C | |
| Source: | Code function: | 0_2_00007FF6DF0C6678 | |
| Source: | Code function: | 0_2_00007FF6DF0C6AA4 | |
| Source: | Code function: | 0_2_00007FF6DF0C6EDC | |
| Source: | Code function: | 0_2_00007FF6DF0C69D4 | |
| Source: | Code function: | 0_2_00007FF6DF0CD3CC | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Abuse Accessibility Features | Acquire Infrastructure | Gather Victim Identity Information |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | 1 Data from Local System | Exfiltration Over Bluetooth | 1 Non-Standard Port | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
| Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Ingress Tool Transfer | Data Encrypted for Impact | DNS Server | Email Addresses | ||
| Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Traffic Duplication | Protocol Impersonation | Data Destruction | Virtual Private Server | Employee Names |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 82% | ReversingLabs | Win64.Spyware.Medusastealer | ||
| 79% | Virustotal | Browse | ||
| 100% | Avira | TR/Spy.Agent.kgbyf | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 77.105.147.171 | unknown | Russian Federation | 42031 | PLUSTELECOM-ASRU | true |
| Joe Sandbox version: | 38.0.0 Ammolite |
| Analysis ID: | 1379472 |
| Start date and time: | 2024-01-23 13:24:14 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 59s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Metamask_setup.exe |
| Detection: | MAL |
| Classification: | mal80.troj.spyw.winEXE@1/0@0/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| PLUSTELECOM-ASRU | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | PrivateLoader | Browse |
| ||
| Get hash | malicious | Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin, Remote Utilities | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin, Remote Utilities | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin, Remote Utilities | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin, Remote Utilities | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.338845189889762 |
| TrID: |
|
| File name: | Metamask_setup.exe |
| File size: | 790'016 bytes |
| MD5: | 618f137baf526f754d3ee3885acb9c04 |
| SHA1: | a7f29acee8f33eee1b569fc992bdbbe2f413042c |
| SHA256: | 512ec746b8318aa67bb11aa498a94d0e9848c241e7296c46757dcf1997e28be4 |
| SHA512: | 41d93eb646043fc2a16c0cb123d724db9091109dfd4ed457f45444859a38f463b3b410188d9ec1c0df8a3037a7846e8c94bd8e0dbe29634d44f01feb8a4bdf1e |
| SSDEEP: | 12288:k/Dduefh+bErggggggggMfAF3m5mz1U/uuUtw/8DvC5mukp:mDduz6ggggggggMYF3Imzy2NAaC5M |
| TLSH: | 1EF40934E69C3669D06BA078FC4B5C02E93278AA1320BFEB12D55A511F97EE15F3D360 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q.o.q.o.q.o.:.h.p.o.:.i.p.o.d.j...o.d.k.~.o.d.l.y.o.:.j...o.:.l.v.o.:.k.c.o.q.n...o.:.n.j.o.G.f.}.o.G...p.o.G.m.p.o.Richq.o |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x14007cb70 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x64F15F28 [Fri Sep 1 03:48:56 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 59fc3561b97c1724a66e573b2805c788 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F397938B398h |
| dec eax |
| add esp, 28h |
| jmp 00007F397938A9BFh |
| int3 |
| int3 |
| and dword ptr [0003DBE5h], 00000000h |
| ret |
| dec eax |
| mov dword ptr [esp+08h], ebx |
| push ebp |
| dec eax |
| lea ebp, dword ptr [esp-000004C0h] |
| dec eax |
| sub esp, 000005C0h |
| mov ebx, ecx |
| mov ecx, 00000017h |
| call dword ptr [0001C68Ah] |
| test eax, eax |
| je 00007F397938AB46h |
| mov ecx, ebx |
| int 29h |
| mov ecx, 00000003h |
| call 00007F397938AB09h |
| xor edx, edx |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| inc ecx |
| mov eax, 000004D0h |
| call 00007F397938C484h |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| call dword ptr [0001C62Dh] |
| dec eax |
| mov ebx, dword ptr [ebp+000000E8h] |
| dec eax |
| lea edx, dword ptr [ebp+000004D8h] |
| dec eax |
| mov ecx, ebx |
| inc ebp |
| xor eax, eax |
| call dword ptr [0001C61Bh] |
| dec eax |
| test eax, eax |
| je 00007F397938AB7Eh |
| dec eax |
| and dword ptr [esp+38h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+000004E0h] |
| dec eax |
| mov edx, dword ptr [ebp+000004D8h] |
| dec esp |
| mov ecx, eax |
| dec eax |
| mov dword ptr [esp+30h], ecx |
| dec esp |
| mov eax, ebx |
| dec eax |
| lea ecx, dword ptr [ebp+000004E8h] |
| dec eax |
| mov dword ptr [esp+28h], ecx |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| dec eax |
| mov dword ptr [esp+20h], ecx |
| xor ecx, ecx |
| call dword ptr [0001C5E2h] |
| dec eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb5b90 | 0x118 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc6000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xbd000 | 0x79e0 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc7000 | 0xb54 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xa76a0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xa7700 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa7560 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x99000 | 0x650 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x97edc | 0x98000 | 14fecd9441573d8f8846ade337580ead | False | 0.42626953125 | zlib compressed data | 6.304920226712859 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x99000 | 0x1e0c0 | 0x1e200 | 2619a9f8e04fbdc4bbf68a1be1ba22e6 | False | 0.4567313926348548 | DIY-Thermocam raw data (Lepton 2.x), scale 25856-27648, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 154742504910672534362390528.000000, slope 2543115696954447765978707132416.000000 | 5.510471051944646 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xb8000 | 0x4484 | 0x1e00 | 1ac5d7acfbfbd5b995f739e66ca25ec4 | False | 0.16067708333333333 | data | 3.2862763790147604 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xbd000 | 0x79e0 | 0x7a00 | 9063aa876dbea603cc0cba3a374e398d | False | 0.40320824795081966 | data | 5.843380934302045 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| _RDATA | 0xc5000 | 0x15c | 0x200 | 392099a42f1a81299705ff2d92da8379 | False | 0.41015625 | data | 3.3726519446433953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xc6000 | 0x1e0 | 0x200 | 40051623f806a9ed9f88c3948606ca62 | False | 0.52734375 | data | 4.7137725829467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xc7000 | 0xb54 | 0xc00 | b58ee936f6aedd3f50b5062d1561ba30 | False | 0.4661458333333333 | data | 5.269667204999112 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0xc6060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| WS2_32.dll | htons, inet_pton, WSAStartup, send, socket, connect, recv, WSACleanup, closesocket |
| CRYPT32.dll | CryptUnprotectData |
| WININET.dll | InternetQueryDataAvailable, InternetReadFile, InternetCloseHandle, InternetOpenW, InternetOpenUrlA, InternetOpenA, HttpQueryInfoW |
| ntdll.dll | NtQueryObject, NtQuerySystemInformation |
| RstrtMgr.DLL | RmGetList, RmStartSession, RmEndSession, RmRegisterResources |
| KERNEL32.dll | MultiByteToWideChar, LocalFree, WideCharToMultiByte, IsDebuggerPresent, WriteProcessMemory, TerminateProcess, GetModuleFileNameW, WaitForSingleObject, ResumeThread, CloseHandle, GetThreadContext, VirtualAllocEx, CreateProcessW, SetThreadContext, GetExitCodeProcess, ExitProcess, ReadFile, GetModuleFileNameA, GetVolumeInformationW, GetGeoInfoA, HeapFree, EnterCriticalSection, GetCurrentProcess, GetProcessId, GetProductInfo, LeaveCriticalSection, SetFilePointer, InitializeCriticalSectionEx, GetModuleHandleA, OpenProcess, HeapSize, GetLogicalDriveStringsW, GetFinalPathNameByHandleA, GetTimeZoneInformation, GetLastError, HeapReAlloc, GetNativeSystemInfo, HeapAlloc, GetUserGeoID, DecodePointer, GetProcAddress, GetFileSize, DeleteCriticalSection, GetComputerNameW, GetProcessHeap, GlobalMemoryStatusEx, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, IsProcessorFeaturePresent, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeLibrary, GetModuleHandleExW, VirtualAlloc, VirtualProtect, VirtualQuery, GetCurrentThreadId, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStdHandle, GetFileType, GetStartupInfoW, RaiseException, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, ReadConsoleW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, SetStdHandle, CreateFileW, WriteConsoleW, OutputDebugStringW, SetEndOfFile, FreeEnvironmentStringsW, SetEnvironmentVariableW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, InitializeSListHead, RtlUnwindEx, RtlUnwind, RtlPcToFileHeader, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LCMapStringEx, GetCommandLineA, GetCommandLineW, GetSystemInfo, GetEnvironmentStringsW, GetFileInformationByHandleEx, AreFileApisANSI, GetFileAttributesExW, FindNextFileW, FindFirstFileExW, FindFirstFileW, FindClose, FormatMessageA, GetLocaleInfoEx, GetCurrentDirectoryW |
| USER32.dll | EnumDisplayDevicesW, GetDC, GetSystemMetrics, GetWindowRect, ReleaseDC, GetDesktopWindow |
| GDI32.dll | BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetDeviceCaps, DeleteDC, GetObjectW, DeleteObject |
| ADVAPI32.dll | RegCloseKey, RegQueryValueExA, RegOpenKeyExA, GetUserNameW, RegEnumKeyExA, GetCurrentHwProfileW |
| SHELL32.dll | ShellExecuteA, SHGetKnownFolderPath |
| ole32.dll | CoTaskMemFree, CreateStreamOnHGlobal |
| SHLWAPI.dll | |
| gdiplus.dll | GdiplusStartup, GdiplusShutdown, GdipGetImageEncoders, GdipCloneImage, GdipAlloc, GdipCreateBitmapFromScan0, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipDisposeImage, GdipFree, GdipCreateBitmapFromHBITMAP |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 23, 2024 13:24:59.873930931 CET | 49729 | 15666 | 192.168.2.4 | 77.105.147.171 |
| Jan 23, 2024 13:25:00.086932898 CET | 15666 | 49729 | 77.105.147.171 | 192.168.2.4 |
| Jan 23, 2024 13:25:00.588654995 CET | 49729 | 15666 | 192.168.2.4 | 77.105.147.171 |
| Jan 23, 2024 13:25:00.802571058 CET | 15666 | 49729 | 77.105.147.171 | 192.168.2.4 |
| Jan 23, 2024 13:25:01.307445049 CET | 49729 | 15666 | 192.168.2.4 | 77.105.147.171 |
| Jan 23, 2024 13:25:01.520523071 CET | 15666 | 49729 | 77.105.147.171 | 192.168.2.4 |
| Jan 23, 2024 13:25:02.026153088 CET | 49729 | 15666 | 192.168.2.4 | 77.105.147.171 |
| Jan 23, 2024 13:25:02.239245892 CET | 15666 | 49729 | 77.105.147.171 | 192.168.2.4 |
| Jan 23, 2024 13:25:02.744898081 CET | 49729 | 15666 | 192.168.2.4 | 77.105.147.171 |
| Jan 23, 2024 13:25:02.958246946 CET | 15666 | 49729 | 77.105.147.171 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 13:24:59 |
| Start date: | 23/01/2024 |
| Path: | C:\Users\user\Desktop\Metamask_setup.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6df050000 |
| File size: | 790'016 bytes |
| MD5 hash: | 618F137BAF526F754D3EE3885ACB9C04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 19.7% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 10 |