Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
Analysis ID:	1428461
MD5:	a4d2a484e1f0bf11169fda433a385f7f
SHA1:	6733490679d6236a833d20390bc1e2d8ea88ed2e
SHA256:	b2a55016c310fb3b6e38ea7dd08f6387c18c9eb2a4007947b43e6f1bb712c36e
Tags:	exe
Infos:

Detection

Discord Token Stealer

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Discord Token Stealer

Found Tor onion address

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

ReversingLabs: Detection: 20%

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Found Tor onion address

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: unixxn--bitsNameTypeasn1cx16sse2false<nil>ErrorchdirwritechmodchowncloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalOperaAmigoTorchGetDCBEGIN_auth_syncfile:1562578125int16int32int64uint8arrayslice and kind=defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]ntohs&"'https:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFoundNRGBAparsexxxxxInts:Ptrs:GreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilsse41sse42ssse3matchrune tls: Earlyfilesimap2imap3imapspop3shostsutf-8%s%dtext/bad nSHA-1P-224P-256P-384P-521ECDSA (at no IPClassStringFormat[]bytestringreadatremoveSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGOROOTChromeYandexKometaBitBltCOMMITNORMAL_mutexDOUBLE390625uint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not objectstatuslistensocketnumberactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks LockedRGBA64Gray16, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsempty rune1 X25519%w%.0wAcceptServerdomaingophertelnet.localreturn.onionip+netheaderAnswerLengthSTREETavx512rdrandrdseedfloat32float64readdirwriteatconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltAPPDATADiscordChrome1Chrome2Chrome3Chrome4Chrome5Orbitumsqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL19531259765625invaliduintptrSwapperChanDir using , type= Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectDefaultnumber UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTNRGBA64nil keyFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeInstAltInstNopalt -> nop -> any -> derivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharset\\.\UNCSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoStringtruncateFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOOpera GXDeleteDCROLLBACK_timeout_journal_locking48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptex\Historybad insthijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictPaletted
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: unixxn--bitsNameTypeasn1cx16sse2false<nil>ErrorchdirwritechmodchowncloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalOperaAmigoTorchGetDCBEGIN_auth_syncfile:1562578125int16int32int64uint8arrayslice and kind=defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]ntohs&"'https:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFoundNRGBAparsexxxxxInts:Ptrs:GreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilsse41sse42ssse3matchrune tls: Earlyfilesimap2imap3imapspop3shostsutf-8%s%dtext/bad nSHA-1P-224P-256P-384P-521ECDSA (at no IPClassStringFormat[]bytestringreadatremoveSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGOROOTChromeYandexKometaBitBltCOMMITNORMAL_mutexDOUBLE390625uint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not objectstatuslistensocketnumberactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks LockedRGBA64Gray16, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsempty rune1 X25519%w%.0wAcceptServerdomaingophertelnet.localreturn.onionip+netheaderAnswerLengthSTREETavx512rdrandrdseedfloat32float64readdirwriteatconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltAPPDATADiscordChrome1Chrome2Chrome3Chrome4Chrome5Orbitumsqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL19531259765625invaliduintptrSwapperChanDir using , type= Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectDefaultnumber UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTNRGBA64nil keyFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeInstAltInstNopalt -> nop -> any -> derivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharset\\.\UNCSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoStringtruncateFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOOpera GXDeleteDCROLLBACK_timeout_journal_locking48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptex\Historybad insthijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictPaletted

Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: https://discord.com/api/v9/users/
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17C:
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Number of sections : 11 > 10

Yara signature match

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Source: classification engine

Classification label: mal72.troj.spyw.evad.winEXE@2/19@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

File created: C:\Users\user\Desktop\discord.json

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

File opened: C:\Windows\system32\a65c24af649f2140c98023ea80f2c47f38ae2a60d7b9767b76fdb7de8fb981d2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Binary or memory string: SELECT tab_url, target_path FROM downloadslooking for beginning of object key stringmix of request and response pseudo headersPRIORITY frame payload size was %d; want 5http: multipart handled by MultipartReaderhttp: ContentLength=%d with Body length %d Rectang
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1676784459.0000024B5E2BE000.00000004.00000020.00020000.00000000.sdmp, Login DatapomdOhjfeW.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

ReversingLabs: Detection: 20%

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: text offset out
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: text offset out
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: ocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil wait
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: ocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil wait

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static file information: File size 7870976 > 1048576

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40d400
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2f9800

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1684978369.0000024B5E28E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataifXQjhqTfO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryncVxcrHRZz	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesyonHaWuppH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DatapomdOhjfeW	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistorymUUcKURTZn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 3	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataFIHJDMqXHm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DatamiROCwylnO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryAWSFNvLGNr	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesPsjkPAcRus	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryqCoKrzsSGr	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryAWSFNvLGNr	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryncVxcrHRZz	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DatapomdOhjfeW	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesyonHaWuppH	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataFIHJDMqXHm	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DatamiROCwylnO	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistorymUUcKURTZn	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryqCoKrzsSGr	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataifXQjhqTfO	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web DataIKRjbKbxrb	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web DatavztLIyuiBn	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\Desktop\autofill.json	ASCII text, with no line terminators	37A6259CC0C1DAE299A7866489DFF0BD	2BE88CA4242C76E8253AC62474851065032D6833	74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
C:\Users\user\Desktop\cards.json	ASCII text, with no line terminators	37A6259CC0C1DAE299A7866489DFF0BD	2BE88CA4242C76E8253AC62474851065032D6833	74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
C:\Users\user\Desktop\cookies.json	JSON data	CFC86D76F6DFD03FCF2774D8C95713AF	202AEFA0D267810ABAB529648F578E91FD098681	392D8AC474964CEAB400A6AB18F8096F000CE92CAC54E6F48303D516446D1555
C:\Users\user\Desktop\discord.json	ASCII text, with no line terminators	37A6259CC0C1DAE299A7866489DFF0BD	2BE88CA4242C76E8253AC62474851065032D6833	74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
C:\Users\user\Desktop\downloads.json	ASCII text, with no line terminators	37A6259CC0C1DAE299A7866489DFF0BD	2BE88CA4242C76E8253AC62474851065032D6833	74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
C:\Users\user\Desktop\history.json	JSON data	4E04955DF6D1EA845ECF6B7CF64B2024	38E78DF66C2A26E2648277E1BCBD62061D60565E	34FFE9A6D5CB18AD8D6A7D3A88817ED5338E4BA823B6A938121E19D95D56FE0A
C:\Users\user\Desktop\passwords.json	ASCII text, with no line terminators	37A6259CC0C1DAE299A7866489DFF0BD	2BE88CA4242C76E8253AC62474851065032D6833	74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
C:\Users\user\Desktop\screenshot.png	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced	D147516C6D2B7D9CAD27C9FFF5CCB5AA	61DCA9BB30FC7DC8AAB1DFC7A1644D69556D8222	104DC9793E23455F049D08D64E547331BE2626C8AB6E9083B8D9BFD1E38E7D0C

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

ReversingLabs: Detection: 20%

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Found Tor onion address

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: unixxn--bitsNameTypeasn1cx16sse2false<nil>ErrorchdirwritechmodchowncloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalOperaAmigoTorchGetDCBEGIN_auth_syncfile:1562578125int16int32int64uint8arrayslice and kind=defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]ntohs&"'https:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFoundNRGBAparsexxxxxInts:Ptrs:GreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilsse41sse42ssse3matchrune tls: Earlyfilesimap2imap3imapspop3shostsutf-8%s%dtext/bad nSHA-1P-224P-256P-384P-521ECDSA (at no IPClassStringFormat[]bytestringreadatremoveSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGOROOTChromeYandexKometaBitBltCOMMITNORMAL_mutexDOUBLE390625uint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not objectstatuslistensocketnumberactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks LockedRGBA64Gray16, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsempty rune1 X25519%w%.0wAcceptServerdomaingophertelnet.localreturn.onionip+netheaderAnswerLengthSTREETavx512rdrandrdseedfloat32float64readdirwriteatconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltAPPDATADiscordChrome1Chrome2Chrome3Chrome4Chrome5Orbitumsqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL19531259765625invaliduintptrSwapperChanDir using , type= Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectDefaultnumber UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTNRGBA64nil keyFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeInstAltInstNopalt -> nop -> any -> derivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharset\\.\UNCSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoStringtruncateFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOOpera GXDeleteDCROLLBACK_timeout_journal_locking48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptex\Historybad insthijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictPaletted
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: unixxn--bitsNameTypeasn1cx16sse2false<nil>ErrorchdirwritechmodchowncloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalOperaAmigoTorchGetDCBEGIN_auth_syncfile:1562578125int16int32int64uint8arrayslice and kind=defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]ntohs&"'https:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFoundNRGBAparsexxxxxInts:Ptrs:GreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilsse41sse42ssse3matchrune tls: Earlyfilesimap2imap3imapspop3shostsutf-8%s%dtext/bad nSHA-1P-224P-256P-384P-521ECDSA (at no IPClassStringFormat[]bytestringreadatremoveSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGOROOTChromeYandexKometaBitBltCOMMITNORMAL_mutexDOUBLE390625uint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not objectstatuslistensocketnumberactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks LockedRGBA64Gray16, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsempty rune1 X25519%w%.0wAcceptServerdomaingophertelnet.localreturn.onionip+netheaderAnswerLengthSTREETavx512rdrandrdseedfloat32float64readdirwriteatconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltAPPDATADiscordChrome1Chrome2Chrome3Chrome4Chrome5Orbitumsqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL19531259765625invaliduintptrSwapperChanDir using , type= Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectDefaultnumber UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTNRGBA64nil keyFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeInstAltInstNopalt -> nop -> any -> derivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharset\\.\UNCSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoStringtruncateFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOOpera GXDeleteDCROLLBACK_timeout_journal_locking48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptex\Historybad insthijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictPaletted

Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: https://discord.com/api/v9/users/
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17C:
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Number of sections : 11 > 10

Yara signature match

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Source: classification engine

Classification label: mal72.troj.spyw.evad.winEXE@2/19@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

File created: C:\Users\user\Desktop\discord.json

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Binary or memory string: SELECT tab_url, target_path FROM downloadslooking for beginning of object key stringmix of request and response pseudo headersPRIORITY frame payload size was %d; want 5http: multipart handled by MultipartReaderhttp: ContentLength=%d with Body length %d Rectang
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1676784459.0000024B5E2BE000.00000004.00000020.00020000.00000000.sdmp, Login DatapomdOhjfeW.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

ReversingLabs: Detection: 20%

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: text offset out
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: text offset out
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: ocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil wait
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: ocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil wait

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static file information: File size 7870976 > 1048576

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40d400
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2f9800

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1684978369.0000024B5E28E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataifXQjhqTfO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryncVxcrHRZz	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesyonHaWuppH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DatapomdOhjfeW	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistorymUUcKURTZn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 3	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataFIHJDMqXHm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DatamiROCwylnO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryAWSFNvLGNr	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesPsjkPAcRus	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryqCoKrzsSGr	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496, type: MEMORYSTR

ID:	1428461
Product:	CloudBasic
Start time:	00:39:07
Start date:	19.04.2024
Sample:	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a4d2a484e1f0bf11169fda433a385f7f
SHA1:	6733490679d6236a833d20390bc1e2d8ea88ed2e
SHA256:	b2a55016c310fb3b6e38ea7dd08f6387c18c9eb2a4007947b43e6f1bb712c36e
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe