Windows Analysis Report
unpacked_1648556.bin.exe

Overview

General Information

Sample name: unpacked_1648556.bin.exe
Analysis ID: 1417149
MD5: 95e35564ed41b3eeb4db220baec91c41
SHA1: 4c209f8b3c7684fc96c5d77c7b4f0ef896a40814
SHA256: 9b5498c5c240818198e2eea9d9b8dce18273ea24b167882c9efc030e2643f127
Tags: exeIcedID
Infos:

Detection

IcedID
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
IcedID According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.
  • GOLD CABIN
  • Lunar Spider
 https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: unpacked_1648556.bin.exe Avira: detected
Antivirus detection for URL or domain
Source: https://certifacto.com/R Avira URL Cloud: Label: phishing
Source: https://certifacto.com/ Avira URL Cloud: Label: phishing
Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM Avira URL Cloud: Label: phishing
Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000 Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: certifacto.com Virustotal: Detection: 14% Perma Link
Source: https://cowspidzu.pro/ Virustotal: Detection: 5% Perma Link
Source: bladisuka.red Virustotal: Detection: 7% Perma Link
Source: https://certifacto.com/ Virustotal: Detection: 16% Perma Link
Source: https://bladisuka.red/ Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: unpacked_1648556.bin.exe Virustotal: Detection: 67% Perma Link
Source: unpacked_1648556.bin.exe ReversingLabs: Detection: 57%
Yara detected IcedID
Source: Yara match File source: unpacked_1648556.bin.exe, type: SAMPLE
Source: Yara match File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Machine Learning detection for sample
Source: unpacked_1648556.bin.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: unpacked_1648556.bin.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: muratinue.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: certifacto.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: bladisuka.red replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cowspidzu.pro replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: certifacto.com
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bladisuka.red/
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bladisuka.red/R
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000%
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000=
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://certifacto.com/
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://certifacto.com/R
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cowspidzu.pro/
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000&
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000l
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://muratinue.com/
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://muratinue.com/R
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000%
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2356059601.00000000004CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF000000000000000044U3h
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000xGM

E-Banking Fraud
barindex
Yara detected IcedID
Source: Yara match File source: unpacked_1648556.bin.exe, type: SAMPLE
Source: Yara match File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Tries to load missing DLLs
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Uses 32bit PE files
Source: unpacked_1648556.bin.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal96.troj.evad.winEXE@1/0@24/0
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe File created: C:\Users\user\AppData\Local\user Jump to behavior
Source: unpacked_1648556.bin.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unpacked_1648556.bin.exe Virustotal: Detection: 67%
Source: unpacked_1648556.bin.exe ReversingLabs: Detection: 57%

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Code function: 0_2_004010F6 wsprintfA, 0_2_004010F6
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe RDTSC instruction interceptor: First address: 401131 second address: 401151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe RDTSC instruction interceptor: First address: 401151 second address: 401131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007FF2013B19AAh 0x0000000c jc 00007FF2013B1969h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007FF2013B1968h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007FF2013B199Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007FF2013B18E5h 0x00000020 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Code function: 0_2_00401224 rdtsc 0_2_00401224
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe TID: 6128 Thread sleep time: -660000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Last function: Thread delayed
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304402538.000000000048E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe API call chain: ExitProcess graph end node
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Code function: 0_2_00401224 rdtsc 0_2_00401224
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Code function: 0_2_00401000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, 0_2_00401000
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe Code function: 0_2_004014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA, 0_2_004014F9

Stealing of Sensitive Information
barindex
Yara detected IcedID
Source: Yara match File source: unpacked_1648556.bin.exe, type: SAMPLE
Source: Yara match File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected IcedID
Source: Yara match File source: unpacked_1648556.bin.exe, type: SAMPLE
Source: Yara match File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417149 Sample: unpacked_1648556.bin.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 96 9 muratinue.com 2->9 11 cowspidzu.pro 2->11 13 2 other IPs or domains 2->13 15 Multi AV Scanner detection for domain / URL 2->15 17 Antivirus detection for URL or domain 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 3 other signatures 2->21 6 unpacked_1648556.bin.exe 1 2->6         started        signatures3 process4 signatures5 23 Found stalling execution ending in API Sleep call 6->23 25 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->25 27 Tries to detect virtualization through RDTSC time measurements 6->27
No contacted IP infos

Contacted Domains

Name IP Active
certifacto.com unknown unknown
muratinue.com unknown unknown
cowspidzu.pro unknown unknown
bladisuka.red unknown unknown