Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1417093
MD5: 9c8f9c16d9476e30711c92307ff98b99
SHA1: dadce6f6fc960850127c7643948dd132fc60b569
SHA256: e353a4c8c81c7815dc8a9ee01e23f6fa7d438c0b8f44ba952c7f2d00aa044899
Tags: exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 13%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DDE00 CryptGenRandom,__CxxThrowException@8, 0_2_6E5DDE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DDEE0 CryptReleaseContext, 0_2_6E5DDEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DDD20 CryptReleaseContext, 0_2_6E5DDD20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DDBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8, 0_2_6E5DDBB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DD9D0 CryptAcquireContextA,GetLastError, 0_2_6E5DD9D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DD7D4 CryptReleaseContext, 0_2_6E5DD7D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5DD7F0 CryptReleaseContext, 0_2_6E5DD7F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E6035E0 CryptReleaseContext, 0_2_6E6035E0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.2058316472.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.0000000004206000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2071404797.000000006E604000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2069084336.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.2058316472.0000000004998000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.000000000480D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2069084336.000000000597A000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BC30
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0145A855
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BD40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BD39
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_01454DE8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BC28
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BF5A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BF60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BE4E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_0145BE50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06143EE2h 0_2_06143E30
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06143EE2h 0_2_06143E29
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_061442F1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_061442F8
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: file.exe String found in binary or memory: http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/
Source: file.exe String found in binary or memory: http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt
Source: file.exe String found in binary or memory: http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h
Source: file.exe String found in binary or memory: http://axschema.org/contact/postalCode/businessDhttp://axschema.org/contact/IM/AIMDhttp://axschema.o
Source: file.exe String found in binary or memory: http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/
Source: file.exe String found in binary or memory: http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu
Source: file.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Source: file.exe String found in binary or memory: http://namespace.google.com/openid/xmlns
Source: file.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe String found in binary or memory: http://openid.net/extensions/sreg/1.1
Source: file.exe String found in binary or memory: http://openid.net/signon/1.1
Source: file.exe String found in binary or memory: http://openid.net/sreg/1.05http://openid.net/sreg/1.1
Source: file.exe String found in binary or memory: http://openid.net/srv/ax/1.0
Source: file.exe String found in binary or memory: http://openid.net/xmlns/1.09http://openid.net/signon/1.0
Source: file.exe String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical
Source: file.exe String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/none
Source: file.exe String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/phishing-resistantxhttp://schemas.openid.net/pape/po
Source: file.exe String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Source: file.exe String found in binary or memory: http://specs.openid.net/auth/2.0
Source: file.exe String found in binary or memory: http://specs.openid.net/auth/2.0/signonOhttp://specs.openid.net/auth/2.0/serverehttp://specs.openid.
Source: file.exe String found in binary or memory: http://specs.openid.net/extensions/oauth/1.0
Source: file.exe String found in binary or memory: http://specs.openid.net/extensions/pape/1.0
Source: file.exe String found in binary or memory: http://specs.openid.net/extensions/ui/1.0/icon
Source: file.exe String found in binary or memory: http://specs.openid.net/extensions/ui/1.0ghttp://specs.openid.net/extensions/ui/1.0/lang-prefihttp:/
Source: file.exe String found in binary or memory: http://specs.openid.net/extensions/ui/icon
Source: file.exe String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf
Source: file.exe String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfthttp://www.idmanagement.gov/
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: file.exe String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Installs a raw input device (often for capturing keystrokes)
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000311E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_b3da9d32-4
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\Tmp7BEA.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\Tmp7B9B.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: file.exe, type: SAMPLE Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.file.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.file.exe.437fff0.8.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5AB6B0 0_2_6E5AB6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D4EE0 0_2_6E5D4EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5FAC29 0_2_6E5FAC29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5A2D70 0_2_6E5A2D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C4AC0 0_2_6E5C4AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E588B30 0_2_6E588B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5F0B89 0_2_6E5F0B89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C4970 0_2_6E5C4970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E586650 0_2_6E586650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E58A7E0 0_2_6E58A7E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E58C7B0 0_2_6E58C7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C4550 0_2_6E5C4550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5FA54D 0_2_6E5FA54D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5E2310 0_2_6E5E2310
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D63B0 0_2_6E5D63B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E59A0C0 0_2_6E59A0C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C3E50 0_2_6E5C3E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D5EB9 0_2_6E5D5EB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5F9FFC 0_2_6E5F9FFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5FBFF1 0_2_6E5FBFF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C3C90 0_2_6E5C3C90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5E1CA0 0_2_6E5E1CA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5F5DD2 0_2_6E5F5DD2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D5DD0 0_2_6E5D5DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5F9AAB 0_2_6E5F9AAB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D5830 0_2_6E5D5830
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D58D5 0_2_6E5D58D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D58D7 0_2_6E5D58D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5FB964 0_2_6E5FB964
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C3460 0_2_6E5C3460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D5274 0_2_6E5D5274
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5C3260 0_2_6E5C3260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5D5050 0_2_6E5D5050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_014514AD 0_2_014514AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_014526D8 0_2_014526D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01453F88 0_2_01453F88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01456EDE 0_2_01456EDE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06120EB3 0_2_06120EB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_061226F8 0_2_061226F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_061226DE 0_2_061226DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06120930 0_2_06120930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0149E3E8 2_2_0149E3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0149E3D8 2_2_0149E3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_01490869 2_2_01490869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_01490878 2_2_01490878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_01494DC0 2_2_01494DC0
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6E5ED520 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6E5E9B35 appears 141 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6E5E90D8 appears 51 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2057078122.0000000003141000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2054318909.000000000122E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2069084336.0000000005A48000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2058316472.00000000048DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2058316472.0000000004364000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFleeceless.exe" vs file.exe
Source: file.exe, 00000000.00000002.2070334872.0000000005E21000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2058316472.0000000004A67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2068902961.0000000005790000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000000.2048770149.0000000000722000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesoftwarebasecompact_vim3.exeR vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamesoftwarebasecompact_vim3.exeR vs file.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: file.exe, type: SAMPLE Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.file.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.2.file.exe.437fff0.8.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.437fff0.8.raw.unpack, SAsWjw6ryKORpjDdOpK.cs Cryptographic APIs: 'CreateDecryptor'
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: *.sln
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/7@0/0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:796:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 13%
Source: file.exe String found in binary or memory: Could not load assembly '{0}'. (If you are using Code First Migrations inside Visual Studio this can happen if the startUp project for your solution does not reference the project that contains your migrations. You can either change the startUp project for your solution or use the -StartUpProjectName parameter.)
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 5202304 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4db200
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.2058316472.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.0000000004206000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2071404797.000000006E604000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2069084336.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.2058316472.0000000004998000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.000000000480D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2069084336.000000000597A000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.file.exe.437fff0.8.raw.unpack, SAsWjw6ryKORpjDdOpK.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.file.exe.437fff0.8.raw.unpack, oT7fsFY1oP1lxDsrwQO.cs .Net Code: AQZpOUGRLB
Source: 0.2.file.exe.437fff0.8.raw.unpack, oT7fsFY1oP1lxDsrwQO.cs .Net Code: U4jxctCYnH
Binary contains a suspicious time stamp
Source: file.exe Static PE information: 0xCD91AA8D [Sun Apr 16 13:01:01 2079 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E59B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress, 0_2_6E59B6C0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5ECC2B push ecx; ret 0_2_6E5ECC3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5ED565 push ecx; ret 0_2_6E5ED578
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0612090E push 0C418B01h; ret 0_2_06120913
Source: 0.2.file.exe.437fff0.8.raw.unpack, SAsWjw6ryKORpjDdOpK.cs High entropy of concatenated method names: 'XLjuK5Adot', 'g38PJ8K3c0', 'aN4uX9Cl5d', 'W2KukoYeLh', 'f1suajXB2G', 'Xx3u3cg4ry', 'oU0jeoJvNN', 'lNP6qCDE0A', 'nkL6SGIYut', 'ktO6z4YpfB'
Source: 0.2.file.exe.437fff0.8.raw.unpack, cYliXic5yo5UO8ufBcv.cs High entropy of concatenated method names: 'rR2cnEDbFD', 'kaVcPhfgb9', 'KOVcwUqTwR', 'CvmcI5MkWW', 'Hqtc2WLIKT', 'qtSc6ahkfQ', 'mQycLouwYB', 'GHtcu5y2P1', 'qQmcY5J4MP', 'NLAc1UV8gA'
Source: 0.2.file.exe.437fff0.8.raw.unpack, oT7fsFY1oP1lxDsrwQO.cs High entropy of concatenated method names: 'nquGaA3nxn', 'SoHG3kPJQs', 'sflGDSqbiB', 'U1iG9IMcmK', 'VGxGilwucp', 'ym6GRqZK41', 'HIUG0QD0VE', 'Ah4Y3nF77w', 's0SG4DMO4o', 'M8RGsqVdt9'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 2444, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 3140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 15D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1480000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4F10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5268 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4232 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6684 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\
Source: MSBuild.exe, 00000002.00000002.2066425183.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: CvmcI5MkWW
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5E948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E5E948B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E59B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress, 0_2_6E59B6C0
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5E948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E5E948B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5EB144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E5EB144
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 464000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4C0000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F07008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe Jump to behavior
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000311E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000311E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5E84B0 cpuid 0_2_6E5E84B0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E5EA25A GetSystemTimeAsFileTime,__aulldiv, 0_2_6E5EA25A
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2058316472.00000000042BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2058316472.0000000004364000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2066425183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2058316472.00000000042BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2058316472.0000000004364000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2066425183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2058316472.00000000042BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2058316472.0000000004364000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2066425183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2058316472.00000000042BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2058316472.0000000004364000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2066425183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6E59A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress, 0_2_6E59A0C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417093 Sample: file.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected PureLog Stealer 2->22 24 6 other signatures 2->24 7 file.exe 2 2->7         started        process3 file4 16 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 7->16 dropped 26 Writes to foreign memory regions 7->26 28 Allocates memory in foreign processes 7->28 30 Injects a PE file into a foreign processes 7->30 11 MSBuild.exe 1 24 7->11         started        signatures5 process6 signatures7 32 Installs new ROOT certificates 11->32 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->34 14 conhost.exe 11->14         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.211.108 true