Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
Analysis ID:	1428461
MD5:	a4d2a484e1f0bf11169fda433a385f7f
SHA1:	6733490679d6236a833d20390bc1e2d8ea88ed2e
SHA256:	b2a55016c310fb3b6e38ea7dd08f6387c18c9eb2a4007947b43e6f1bb712c36e
Tags:	exe
Infos:

Detection

Discord Token Stealer

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Discord Token Stealer

Found Tor onion address

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe" MD5: A4D2A484E1F0BF11169FDA433A385F7F)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x50ca34:$string1: SELECT origin_url, username_value, password_value FROM logins 0x73d820:$string2: API call with %s database connection pointer 0x73d8d8:$string3: os_win.c:%d: (%lu) %s(%s) - %s

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x50ca34:$string1: SELECT origin_url, username_value, password_value FROM logins 0x73d820:$string2: API call with %s database connection pointer 0x73d8d8:$string3: os_win.c:%d: (%lu) %s(%s) - %s
0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x50ca34:$string1: SELECT origin_url, username_value, password_value FROM logins 0x73d820:$string2: API call with %s database connection pointer 0x73d8d8:$string3: os_win.c:%d: (%lu) %s(%s) - %s

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

ReversingLabs: Detection: 20%

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Found Tor onion address

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: unixxn--bitsNameTypeasn1cx16sse2false<nil>ErrorchdirwritechmodchowncloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalOperaAmigoTorchGetDCBEGIN_auth_syncfile:1562578125int16int32int64uint8arrayslice and kind=defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]ntohs&"'https:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFoundNRGBAparsexxxxxInts:Ptrs:GreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilsse41sse42ssse3matchrune tls: Earlyfilesimap2imap3imapspop3shostsutf-8%s%dtext/bad nSHA-1P-224P-256P-384P-521ECDSA (at no IPClassStringFormat[]bytestringreadatremoveSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGOROOTChromeYandexKometaBitBltCOMMITNORMAL_mutexDOUBLE390625uint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not objectstatuslistensocketnumberactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks LockedRGBA64Gray16, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsempty rune1 X25519%w%.0wAcceptServerdomaingophertelnet.localreturn.onionip+netheaderAnswerLengthSTREETavx512rdrandrdseedfloat32float64readdirwriteatconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltAPPDATADiscordChrome1Chrome2Chrome3Chrome4Chrome5Orbitumsqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL19531259765625invaliduintptrSwapperChanDir using , type= Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectDefaultnumber UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTNRGBA64nil keyFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeInstAltInstNopalt -> nop -> any -> derivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharset\\.\UNCSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoStringtruncateFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOOpera GXDeleteDCROLLBACK_timeout_journal_locking48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptex\Historybad insthijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictPaletted
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: unixxn--bitsNameTypeasn1cx16sse2false<nil>ErrorchdirwritechmodchowncloseMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalOperaAmigoTorchGetDCBEGIN_auth_syncfile:1562578125int16int32int64uint8arrayslice and kind=defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]ntohs&"'https:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFoundNRGBAparsexxxxxInts:Ptrs:GreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilsse41sse42ssse3matchrune tls: Earlyfilesimap2imap3imapspop3shostsutf-8%s%dtext/bad nSHA-1P-224P-256P-384P-521ECDSA (at no IPClassStringFormat[]bytestringreadatremoveSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGOROOTChromeYandexKometaBitBltCOMMITNORMAL_mutexDOUBLE390625uint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not objectstatuslistensocketnumberactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks LockedRGBA64Gray16, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsempty rune1 X25519%w%.0wAcceptServerdomaingophertelnet.localreturn.onionip+netheaderAnswerLengthSTREETavx512rdrandrdseedfloat32float64readdirwriteatconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltAPPDATADiscordChrome1Chrome2Chrome3Chrome4Chrome5Orbitumsqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL19531259765625invaliduintptrSwapperChanDir using , type= Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectDefaultnumber UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTNRGBA64nil keyFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimeInstAltInstNopalt -> nop -> any -> derivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharset\\.\UNCSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internGoStringtruncateFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOOpera GXDeleteDCROLLBACK_timeout_journal_locking48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptex\Historybad insthijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictPaletted

Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: https://discord.com/api/v9/users/
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17C:
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Source: classification engine

Classification label: mal72.troj.spyw.evad.winEXE@2/19@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

File created: C:\Users\user\Desktop\discord.json

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

File opened: C:\Windows\system32\a65c24af649f2140c98023ea80f2c47f38ae2a60d7b9767b76fdb7de8fb981d2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Binary or memory string: SELECT tab_url, target_path FROM downloadslooking for beginning of object key stringmix of request and response pseudo headersPRIORITY frame payload size was %d; want 5http: multipart handled by MultipartReaderhttp: ContentLength=%d with Body length %d Rectang
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1676784459.0000024B5E2BE000.00000004.00000020.00020000.00000000.sdmp, Login DatapomdOhjfeW.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

ReversingLabs: Detection: 20%

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: text offset out
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: text offset out
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: ocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil wait
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	String found in binary or memory: ocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil wait

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static file information: File size 7870976 > 1048576

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40d400
Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2f9800

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1684978369.0000024B5E28E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataifXQjhqTfO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryncVxcrHRZz	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesyonHaWuppH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DatapomdOhjfeW	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistorymUUcKURTZn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 3	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Profile 2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataFIHJDMqXHm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DatamiROCwylnO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryAWSFNvLGNr	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesPsjkPAcRus	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryqCoKrzsSGr	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe.7ff7d5bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe PID: 7496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Data from Local System	1 Proxy	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	21%	ReversingLabs	Win64.Trojan.GenSteal

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://duckduckgo.com/chrome_newtab	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://duckduckgo.com/ac/?q=	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17C:	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe	false	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677307275.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000003.1677378269.0000024B5E2D5000.00000004.00000020.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, 00000000.00000002.1681861352.000000C00008E000.00000004.00001000.00020000.00000000.sdmp, HistoryncVxcrHRZz.0.dr, HistoryAWSFNvLGNr.0.dr, history.json.0.dr	false	high
https://www.ecosia.org/newtab/	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Web DataFIHJDMqXHm.0.dr, Web DatamiROCwylnO.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428461
Start date and time:	2024-04-19 00:39:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
Detection:	MAL
Classification:	mal72.troj.spyw.evad.winEXE@2/19@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe, PID 7496 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.2115267323300944
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
File size:	7'870'976 bytes
MD5:	a4d2a484e1f0bf11169fda433a385f7f
SHA1:	6733490679d6236a833d20390bc1e2d8ea88ed2e
SHA256:	b2a55016c310fb3b6e38ea7dd08f6387c18c9eb2a4007947b43e6f1bb712c36e
SHA512:	f3d904b7e60163a89be944fc99b68438120ced7e5c655da99507b5b06d93f530aa82d4355e4b88862ea3c1ab3ac15d8d92e89c973964ee439a083242bcbd335b
SSDEEP:	98304:7GbT/vHJURAs+Flc2MuwWXD0SOi7aEh8D:7GZUus+FYHWTzHi
TLSH:	3B863A47E8A541E8C0AED1348A639263BA717C481B3427D72B60F7382F76FD0AE79754
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................'..@...x................@......................................y...`... ............................

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x4040c940, 0x1, 0x4040c910, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9848d2dcb193b1c689991b27006bc941

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x803000	0x159	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x804000	0x1ab0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x752000	0x1a25c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x808000	0xf144	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x750c80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x804644	0x568	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40d270	0x40d400	76314f13b1738851d8e217fde1e97e9c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x40f000	0x485e0	0x48600	094bce36c9edb61358b75eb16f74f97e	False	0.39078017055267705	data	5.051467623871148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x458000	0x2f9740	0x2f9800	290222823e0865cbb684d95caf38a5d9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x752000	0x1a25c	0x1a400	24b6a54ab99e002c122ec5b87123f4c8	False	0.42784598214285713	data	5.81195122922775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x76d000	0x6b04	0x6c00	2d44fa57553fdae2a479fa08de18dccd	False	0.16030092592592593	data	4.566128546826554	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x774000	0x8e540	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x803000	0x159	0x200	62c1de4b64d75a6f1ce40864905a3383	False	0.423828125	data	3.740859929334406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x804000	0x1ab0	0x1c00	cd9a182fb02e539883096e386da83879	False	0.29715401785714285	data	4.4243917545920395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x806000	0x60	0x200	3d16b03d335f1618fece2690fac33913	False	0.06640625	data	0.2990238586730518	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x807000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x808000	0xf144	0xf200	7313ee5b9a113f079e891d51a353aa06	False	0.2539223915289256	data	5.436757937146287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
KERNEL32.dll	AddVectoredContinueHandler, AddVectoredExceptionHandler, AreFileApisANSI, CloseHandle, CreateEventA, CreateFileA, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateMutexW, CreateThread, CreateWaitableTimerA, CreateWaitableTimerExW, DeleteCriticalSection, DeleteFileA, DeleteFileW, DuplicateHandle, EnterCriticalSection, ExitProcess, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetErrorMode, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFullPathNameA, GetFullPathNameW, GetLastError, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadContext, GetTickCount, HeapAlloc, HeapCompact, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, LockFile, LockFileEx, MapViewOfFile, MultiByteToWideChar, OutputDebugStringA, OutputDebugStringW, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ReadFile, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TryEnterCriticalSection, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, __p___wargv, _beginthread, _beginthreadex, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _endthreadex, _errno, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, signal
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, fwrite
api-ms-win-crt-string-l1-1-0.dll	memset, strcmp, strcspn, strlen, strncmp, strspn
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _localtime64, _tzset
api-ms-win-crt-utility-l1-1-0.dll	qsort

Name	Ordinal	Address
_cgo_dummy_export	1	0x140802370
authorizerTrampoline	2	0x14031d9e0
callbackTrampoline	3	0x14031d730
commitHookTrampoline	4	0x14031d8c0
compareTrampoline	5	0x14031d830
doneTrampoline	6	0x14031d7f0
preUpdateHookTrampoline	7	0x14031da70
rollbackHookTrampoline	8	0x14031d920
stepTrampoline	9	0x14031d790
updateHookTrampoline	10	0x14031d960

Target ID:	0
Start time:	00:39:58
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe"
Imagebase:	0x7ff7d5bd0000
File size:	7'870'976 bytes
MD5 hash:	A4D2A484E1F0BF11169FDA433A385F7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000000.00000002.1687801774.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000000.00000000.1674596432.00007FF7D6028000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryAWSFNvLGNr

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryncVxcrHRZz

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DatapomdOhjfeW

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesyonHaWuppH

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataFIHJDMqXHm

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DatamiROCwylnO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistorymUUcKURTZn

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryqCoKrzsSGr

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataifXQjhqTfO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web DataIKRjbKbxrb

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web DatavztLIyuiBn

C:\Users\user\Desktop\autofill.json

C:\Users\user\Desktop\cards.json

C:\Users\user\Desktop\cookies.json

C:\Users\user\Desktop\discord.json

C:\Users\user\Desktop\downloads.json

C:\Users\user\Desktop\history.json

C:\Users\user\Desktop\passwords.json

C:\Users\user\Desktop\screenshot.png

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.24850.22028.exe