Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Analysis ID:	1427173
MD5:	921557c2b17618359e49a321117a5917
SHA1:	a2ae5fb4d614f3fca87a42f1fc15800a22d36504
SHA256:	b06beeb0116f23b271122767f0be842dd5c5082b1e585e79ded01985a8fe0036
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Allocates memory with a write watch (potentially for evading sandboxes)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Virustotal: Detection: 7%

Perma Link

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdbSHA256 source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://.css
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://.jpg
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://html4/loose.dtd
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/binaryformatter
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-illink/com)
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/download
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/info
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://dl.google.com/android/repository/platform-tools-latest-windows.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9Extract
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-Pat
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/dotnet/runtime
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/love2d/love-android/releases/download/11.5a/love-11.5-android-embed.apk7love-11.5
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jar
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%j
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)Installing

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Sample file is different than original file name gathered from version info

Source: classification engine

Classification label: mal48.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 46.24%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Virustotal: Detection: 7%

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: Morph - Structs/AddrExp
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: prejitIndirect call transformExpand patchpointsPre-importImportationProfile instrumentationProfile incorporationPost-importProfile instrumentation prepMorph - Add internal blocksAllocate ObjectsMorph - InitMorph - InliningMerge callfinally chainsClone finallyRemove empty tryRemove empty finallyMorph - Structs/AddrExpEarly livenessUpdate finally target flagsUpdate flow graph early passIdentify candidates for implicit byref copy omissionMorph - ByRefsPhysical promotionForward SubstitutionMorph - FinishGS CookieMorph - Promote StructsMorph - GlobalTail mergeMerge throw blocksCompute edge weights (1, false)Create EH funcletsOptimize control flowOptimize layoutInvert loopsPost-morph tail mergeRedundant zero InitsFind loopsCompute blocks reachabilitySet block weightsClear loop infoMorph array opsClone loopsUnroll loopsOptimize boolsFind oper orderHoist loop codeMark local varsSSA: topological sortSSA: Doms1Set block orderBuild SSA representationSSA: insert phisSSA: renameSSA: livenessSSA: DFOptimize index checksOptimize Valnum CSEsEarly Value PropagationDo value numberingRedundant branch optsAssertion propVN based copy propVN based intrinsic expansionUpdate flow graph opt passCompute edge weights (2, false)If conversionVN-based dead store removalExpand static initExpand TLS accessStress gtSplitTreeExpand runtime lookupsRationalize IRDo 'simple' loweringInsert GC PollsDetermine first cold blockPer block local var livenessGlobal local var livenessLocal var livenessLocal var liveness initCalculate stack level slotsLinear scan register allocLowering decompositionLowering nodeinfoLSRA resolvePlace 'align' instructionsLSRA build intervalsLSRA allocateEmit GC+EH tablesPost-EmitGenerate codeEmit code Compiled %d methods.
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3string too longbad array new lengthApplication root path is empty. This shouldn't happenUsing internal fxrUsing internal hostpolicyPath containing probing policy and assemblies to probe for.<path>--additionalprobingpathPath to <application>.runtimeconfig.json file.--runtimeconfigPath to <application>.deps.json file.--depsfile--roll-forwardVersion of the installed Shared Framework to use to run the application.<version>--fx-versionPath to additional deps.json file.--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)<value>sdk<obsolete><n>--roll-forward-on-no-candidate-fxUsing the provided arguments to determine the application to execute. %s %-*s %sFailed to parse supported options or their values:Parsed known arg %s = %sThe application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.Application '%s' is not a managed executable.exec--- Executing in muxer mode...--- Executing in a native executable mode...--- Executing in split/FX mode...
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h\|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.\|arch\|/\|tfm\|\|arch\|\\|tfm\|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h\|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.\|arch\|/\|tfm\|\|arch\|\\|tfm\|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%java-installer.exe%Installing Java...+java-installer.exe /sUJava still not detected! Try to re-launch.Oexplorer https://www.java.com/download/-Checking for Python...-python --version 3>NUL
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%java-installer.exe%Installing Java...+java-installer.exe /sUJava still not detected! Try to re-launch.Oexplorer https://www.java.com/download/-Checking for Python...-python --version 3>NUL
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)Installing Python...7python-installer.exe /quiet
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: Python still not detected! Try to re-launch, or install Python manually from the Microsoft Store.
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: ccd platform-tools && cd platform-tools && adb push "%AppData%/Balatro/." /data/local/tmp/balatro/files/save/game && adb shell am force-stop com.unofficial.balatro && adb shell run-as com.unofficial.balatro cp -r /data/local/tmp/balatro/files . && adb shell rm -r /data/local/tmp/balatro && adb kill-servermWould you like to pull saves from your Android device?
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: cd platform-tools && cd platform-tools && adb pull /data/local/tmp/balatro/files/. %AppData%/Balatro/eAttempting to pull save files from Android device.7Deleting temporary files...-del java-installer.exe?del love-11.5-android-embed.apk3del Balatro-APK-Patch.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: del 7za.exeSdel balatro-aligned-debugSigned.apk.idsig1del balatro-unsigned.apk-del platform-tools.zip1del python-installer.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9Extracting platform-tools...S7za x platform-tools.zip -oplatform-tools
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-Patch.zip+Balatro-APK-Patch.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ipa!balatro-base.ipa;An unexpected error occurred!
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: maxBufferSize!CheckTaskNotNull/LoadIntoBufferAsyncCore%HttpMessageHandlerSend
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: ,!requests-started!Requests Started+requests-started-rate+Requests Started Rate
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: usableCHTTP2 connection no longer usableUCreating new HTTP/1.1 connection for pool.1AddHttp11ConnectionAsyncQCreating new HTTP/2 connection for pool./AddHttp2ConnectionAsync
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: (?)-AddressChangedCallback

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static file information: File size 14477139 > 1048576

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x617000
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17d400
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x147000

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdbSHA256 source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: .CLR_UEF
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: .didat
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: Section
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: _RDATA

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Memory allocated: 2A72B500000 memory reserve | memory write watch

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Code function: 0_2_00007FF7351FAE0C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7351FAE0C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
\Device\ConDrv	ASCII text, with CRLF, LF line terminators	BDABAD0608B70DFDBED2AEAB4FC87446	462073117F8E9F8CC35F771FAE38F3C93C1B887B	48660E2AD7303B9141BAE53E2B184BE498C804D25B235E0D9DFED2B5EEC6517E

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Virustotal: Detection: 7%

Perma Link

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdbSHA256 source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://.css
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://.jpg
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://html4/loose.dtd
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/binaryformatter
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-illink/com)
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/download
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/info
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://dl.google.com/android/repository/platform-tools-latest-windows.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9Extract
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-Pat
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/dotnet/runtime
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/love2d/love-android/releases/download/11.5a/love-11.5-android-embed.apk7love-11.5
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jar
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%j
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)Installing

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Sample file is different than original file name gathered from version info

Source: classification engine

Classification label: mal48.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 46.24%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Virustotal: Detection: 7%

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: Morph - Structs/AddrExp
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: prejitIndirect call transformExpand patchpointsPre-importImportationProfile instrumentationProfile incorporationPost-importProfile instrumentation prepMorph - Add internal blocksAllocate ObjectsMorph - InitMorph - InliningMerge callfinally chainsClone finallyRemove empty tryRemove empty finallyMorph - Structs/AddrExpEarly livenessUpdate finally target flagsUpdate flow graph early passIdentify candidates for implicit byref copy omissionMorph - ByRefsPhysical promotionForward SubstitutionMorph - FinishGS CookieMorph - Promote StructsMorph - GlobalTail mergeMerge throw blocksCompute edge weights (1, false)Create EH funcletsOptimize control flowOptimize layoutInvert loopsPost-morph tail mergeRedundant zero InitsFind loopsCompute blocks reachabilitySet block weightsClear loop infoMorph array opsClone loopsUnroll loopsOptimize boolsFind oper orderHoist loop codeMark local varsSSA: topological sortSSA: Doms1Set block orderBuild SSA representationSSA: insert phisSSA: renameSSA: livenessSSA: DFOptimize index checksOptimize Valnum CSEsEarly Value PropagationDo value numberingRedundant branch optsAssertion propVN based copy propVN based intrinsic expansionUpdate flow graph opt passCompute edge weights (2, false)If conversionVN-based dead store removalExpand static initExpand TLS accessStress gtSplitTreeExpand runtime lookupsRationalize IRDo 'simple' loweringInsert GC PollsDetermine first cold blockPer block local var livenessGlobal local var livenessLocal var livenessLocal var liveness initCalculate stack level slotsLinear scan register allocLowering decompositionLowering nodeinfoLSRA resolvePlace 'align' instructionsLSRA build intervalsLSRA allocateEmit GC+EH tablesPost-EmitGenerate codeEmit code Compiled %d methods.
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3string too longbad array new lengthApplication root path is empty. This shouldn't happenUsing internal fxrUsing internal hostpolicyPath containing probing policy and assemblies to probe for.<path>--additionalprobingpathPath to <application>.runtimeconfig.json file.--runtimeconfigPath to <application>.deps.json file.--depsfile--roll-forwardVersion of the installed Shared Framework to use to run the application.<version>--fx-versionPath to additional deps.json file.--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)<value>sdk<obsolete><n>--roll-forward-on-no-candidate-fxUsing the provided arguments to determine the application to execute. %s %-*s %sFailed to parse supported options or their values:Parsed known arg %s = %sThe application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.Application '%s' is not a managed executable.exec--- Executing in muxer mode...--- Executing in a native executable mode...--- Executing in split/FX mode...
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h\|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.\|arch\|/\|tfm\|\|arch\|\\|tfm\|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h\|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.\|arch\|/\|tfm\|\|arch\|\\|tfm\|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%java-installer.exe%Installing Java...+java-installer.exe /sUJava still not detected! Try to re-launch.Oexplorer https://www.java.com/download/-Checking for Python...-python --version 3>NUL
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%java-installer.exe%Installing Java...+java-installer.exe /sUJava still not detected! Try to re-launch.Oexplorer https://www.java.com/download/-Checking for Python...-python --version 3>NUL
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)Installing Python...7python-installer.exe /quiet
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: Python still not detected! Try to re-launch, or install Python manually from the Microsoft Store.
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: ccd platform-tools && cd platform-tools && adb push "%AppData%/Balatro/." /data/local/tmp/balatro/files/save/game && adb shell am force-stop com.unofficial.balatro && adb shell run-as com.unofficial.balatro cp -r /data/local/tmp/balatro/files . && adb shell rm -r /data/local/tmp/balatro && adb kill-servermWould you like to pull saves from your Android device?
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: cd platform-tools && cd platform-tools && adb pull /data/local/tmp/balatro/files/. %AppData%/Balatro/eAttempting to pull save files from Android device.7Deleting temporary files...-del java-installer.exe?del love-11.5-android-embed.apk3del Balatro-APK-Patch.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: del 7za.exeSdel balatro-aligned-debugSigned.apk.idsig1del balatro-unsigned.apk-del platform-tools.zip1del python-installer.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9Extracting platform-tools...S7za x platform-tools.zip -oplatform-tools
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-Patch.zip+Balatro-APK-Patch.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ipa!balatro-base.ipa;An unexpected error occurred!
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: maxBufferSize!CheckTaskNotNull/LoadIntoBufferAsyncCore%HttpMessageHandlerSend
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: ,!requests-started!Requests Started+requests-started-rate+Requests Started Rate
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: usableCHTTP2 connection no longer usableUCreating new HTTP/1.1 connection for pool.1AddHttp11ConnectionAsyncQCreating new HTTP/2 connection for pool./AddHttp2ConnectionAsync
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	String found in binary or memory: (?)-AddressChangedCallback

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static file information: File size 14477139 > 1048576

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x617000
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17d400
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x147000

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdbSHA256 source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: .CLR_UEF
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: .didat
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: Section
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Static PE information: section name: _RDATA

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Memory allocated: 2A72B500000 memory reserve | memory write watch

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Code function: 0_2_00007FF7351FAE0C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7351FAE0C

ID:	1427173
Product:	CloudBasic
Start time:	07:32:10
Start date:	17.04.2024
Sample:	SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	921557c2b17618359e49a321117a5917
SHA1:	a2ae5fb4d614f3fca87a42f1fc15800a22d36504
SHA256:	b06beeb0116f23b271122767f0be842dd5c5082b1e585e79ded01985a8fe0036
Filetype:	Win64 Executable Console Net Framework (206006/5) 46.24%

Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3296042280.00007FF735425000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3296042280.00007FF735425000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebalatro-mobile-maker.dllJ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291561128.000002A72CE20000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291561128.000002A72CE20000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291561128.000002A72CE20000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291491514.000002A72CDF0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291491514.000002A72CDF0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291986537.000002E7C1AC0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291468145.000002A72CDD0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenamebalatro-mobile-maker.dllJ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenamebalatro-mobile-maker.dllJ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.IO.Compression.Brotli.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.Requests.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.WebClient.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Net.WebHeaderCollection.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Runtime.Numerics.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.Threading.Channels.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe	Binary or memory string: OriginalFilenameSystem.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Windows Analysis Report SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe