Windows Analysis Report
PROFOMA INVOICE-2024-0419 .exe

Overview

General Information

Sample name:	PROFOMA INVOICE-2024-0419 .exe
Analysis ID:	1428857
MD5:	e67096a9183b74fbe73ac6ca18d56399
SHA1:	ffef2a71110febbd27a8de341dacbbdc5b601368
SHA256:	5f62afbd7dfbf7b9a6727b6ba3809d10bb491fe13361ec598628354926cc4762
Tags:	exe
Infos:

Detection

PureLog Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Internet Provider seen in connection with other malware

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PROFOMA INVOICE-2024-0419 .exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PROFOMA INVOICE-2024-0419 .exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: PROFOMA INVOICE-2024-0419 .exe

Joe Sandbox ML: detected

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: 8cb03cfb-750e-41f5-9111-95ff37f34e9b<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedNlswidup.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources% source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb( source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /home/jskinner/.release_build/build/gn/lto_win_x64/subl.pdb source: PROFOMA INVOICE-2024-0419 .exe
Source:	Binary string: costura.dotnetzip.pdb.compressed2 source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: pukrilug.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 150.114.84.125:7702

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: KDDIKDDICORPORATIONJP KDDIKDDICORPORATIONJP

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pukrilug.duckdns.org

Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

.NET source code contains very large array initializations

Source: PROFOMA INVOICE-2024-0419 .exe, Program.cs

Large array initialization: Main: array initializer size 851020

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PROFOMA INVOICE-2024-0419 .exe

Detected potential crypto function

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Code function: 0_2_00007FF848FD1C41

0_2_00007FF848FD1C41

Sample file is different than original file name gathered from version info

Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNlswidup.dll" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000000.2028015937.00000000006B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEgttcbp.exe" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNlswidup.dll" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNlswidup.dll" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe	Binary or memory string: OriginalFilenameEgttcbp.exe" vs PROFOMA INVOICE-2024-0419 .exe

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Mutant created: NULL
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Mutant created: \Sessions\1\BaseNamedObjects\3773f709858a89ca

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PROFOMA INVOICE-2024-0419 .exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PROFOMA INVOICE-2024-0419 .exe

ReversingLabs: Detection: 57%

Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --launch-or-new-window
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: bodycy--staysgibrightgraysgiverylightgraysgilightgraysgimediumgraydimgraysgiverydarkgraysgidarkgraylightslategraydarkslategrayoverlaykOverlaydisplayposition.ypxtexture_boxsand boxUnixSkPixelRef::lockPixelsMutexaccent_tint_indexInvalid background palette index/IndexwbxPackages/Rails/Ruby on Rails.sublime-syntaxPackages/Rails/Ruby Haml.sublime-syntaxPackages/ASP/HTML-ASP.sublime-syntaxPackages/JavaScript/JSON.sublime-syntaxPackages/JSON/JSON.sublime-syntaxPackages/Rails/HAML.sublime-syntaxPackages/Rails/Ruby (Rails).sublime-syntaxPackages/Java/Java Server Pages (JSP).sublime-syntaxPackages/Java/HTML (JSP).sublime-syntaxPackages/ASP/HTML (ASP).sublime-syntax#%02x%02x%02x<dt>Color:</dt><dd>0xSkModeColorFilter: color: 0xposition.xswrwsk_throwtable_rowtree_rowUninitialized rowsnowlightyellowgreenyellowlightgoldenrodyellowannotation_popup_windowhtml_popup_windowauto_complete_window--launch-or-new-window--new-windowright_shadowleft_shadowtop_shadowbottom_shadowwarm shadowLowhoneydewsvlvgvperuqulukuiuhugueuLu
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: /Installed Packages
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: classkeyword length must be 1 - 79 characterspspatternscannot parse partitionszh-Hanssmstoo many length or distance symbolsWidth is too large for libpng to process pixelsToo much data in IDAT chunksisinvalid stored block lengthsbad code lengthssettingsgray cliffspearly gatescapturesbeginCapturesendCaptures/resfileTypesexcludeTrailingNewlinesTimesValid palette required for paletted images/Packages/Installed Packagestoo many codescsbsConsolasAntiAliasMissing IHDR before pHYsMissing IHDR before oFFsApplication was compiled with png.h from libpng-%.20sApplication is running with png.c from libpng-%.20s%s:%-3d %slibpng error: %slibpng warning: %s mode: %sconvolveAlpha: %srrect-blurrects-blurtrsrfilter_font_descriptorbad Image DescriptorInvalid operatorzlib failed to initialize compressormirrorzlib memory errorbuffer errorunknown errorUnknown errorzlib version errorzlib failed to initialize compressor -- version errorzlib failed to initialize compressor -- mem errorzlib failed to initialize compressor -- stream errorUnknown zlib errorCRC errorNo ErrorDecompression ErrorWrite ErrorParse ErrorRead Errorshadow_colorviewport_colorborder_colorlink_colormonospace_colormonospace_background_colorborder-right-colorborder-left-colorborder-colorborder-top-colorborder-bottom-colorbackground-colorOverrideColorkXormr
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --help
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --help
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: brvarregular RegularSkArithmeticMode_scalarkClearsq!q../../../third_party/skia/src/ports/SkFontMgr_win_dw.cpp../../../third_party/skia/src/ports/SkTypeface_win_dw.cpp../../../third_party/skia/src/core/SkDraw.cpp../../../third_party/skia/src/core/SkBitmapController.cpp../../../third_party/skia/src/images/SkPNGImageEncoder.cpp../../../third_party/skia/src/core/SkRasterClip.cpp../../../third_party/skia/src/core/SkAAClip.cpp../../../third_party/skia/src/core/SkMipMap.cpp../../../third_party/skia/src/core/SkPath.cpp../../../third_party/skia/src/core/SkPathMeasure.cpp../../../third_party/skia/src/core/SkLinearBitmapPipeline.cpp../../../third_party/skia/src/core/SkDevice.cpp../../../third_party/skia/src/core/SkTextBlob.cpp../../../third_party/skia/src/core/SkData.cpp../../../third_party/skia/src/core/SkBlitter_ARGB32.cppborder-topmargin-toppadding-topkDstATopkSrcATop.%x%d.tmpclamp--helppapayawhipnowrapbitmapmipmaptab_overlap%ptomatosogainsboroSetting negative gamma to zeroZeromolokoindigofoeoborosybrownsandybrownsaddlebrownaz-Latnjv-Latnsu-Latnms-LatnkColorBurnfar horizontab_close_buttoncrimsonmaroonlightsalmondarksalmonsgisalmonUnknown exceptioninvalid string positionCall to NULL write functionCall to NULL read functionsaturationSaturationtext-decorationInvalid OperationsymbolIndexTransformationsymbolTransformationkExclusion/Options/Session.sublime-sessionPNG file corrupted by ASCII conversion--versionlemonchiffonnnknmoccasinultrathinultra-thinultra thinbox_margincontent_margininner_marginbeginplainAttempted to set both read_data_fn and write_data_fn intext-alignkLightenlinenbad SOS lenbad DNL lenkDarkenInvalid tokenyellowgreenforestgreenlightgreenlawngreendarkgreenmediumspringgreendarkolivegreenlimegreenpalegreenlightseagreenmediumseagreendarkseagreenkScreenhiddenbnlightcyandarkcyancarmel tanromankDstInkSrcInplummediumMediumIgnoreTransformIgnoreXformborder-bottommargin-bottompadding-bottomkmmax_margin_trimsystemlist-itemremoutofmem
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: brvarregular RegularSkArithmeticMode_scalarkClearsq!q../../../third_party/skia/src/ports/SkFontMgr_win_dw.cpp../../../third_party/skia/src/ports/SkTypeface_win_dw.cpp../../../third_party/skia/src/core/SkDraw.cpp../../../third_party/skia/src/core/SkBitmapController.cpp../../../third_party/skia/src/images/SkPNGImageEncoder.cpp../../../third_party/skia/src/core/SkRasterClip.cpp../../../third_party/skia/src/core/SkAAClip.cpp../../../third_party/skia/src/core/SkMipMap.cpp../../../third_party/skia/src/core/SkPath.cpp../../../third_party/skia/src/core/SkPathMeasure.cpp../../../third_party/skia/src/core/SkLinearBitmapPipeline.cpp../../../third_party/skia/src/core/SkDevice.cpp../../../third_party/skia/src/core/SkTextBlob.cpp../../../third_party/skia/src/core/SkData.cpp../../../third_party/skia/src/core/SkBlitter_ARGB32.cppborder-topmargin-toppadding-topkDstATopkSrcATop.%x%d.tmpclamp--helppapayawhipnowrapbitmapmipmaptab_overlap%ptomatosogainsboroSetting negative gamma to zeroZeromolokoindigofoeoborosybrownsandybrownsaddlebrownaz-Latnjv-Latnsu-Latnms-LatnkColorBurnfar horizontab_close_buttoncrimsonmaroonlightsalmondarksalmonsgisalmonUnknown exceptioninvalid string positionCall to NULL write functionCall to NULL read functionsaturationSaturationtext-decorationInvalid OperationsymbolIndexTransformationsymbolTransformationkExclusion/Options/Session.sublime-sessionPNG file corrupted by ASCII conversion--versionlemonchiffonnnknmoccasinultrathinultra-thinultra thinbox_margincontent_margininner_marginbeginplainAttempted to set both read_data_fn and write_data_fn intext-alignkLightenlinenbad SOS lenbad DNL lenkDarkenInvalid tokenyellowgreenforestgreenlightgreenlawngreendarkgreenmediumspringgreendarkolivegreenlimegreenpalegreenlightseagreenmediumseagreendarkseagreenkScreenhiddenbnlightcyandarkcyancarmel tanromankDstInkSrcInplummediumMediumIgnoreTransformIgnoreXformborder-bottommargin-bottompadding-bottomkmmax_margin_trimsystemlist-itemremoutofmem
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --add
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: idgdAutohintedIgnoring extra png_read_update_info() call; row buffer not reallocatedmediumvioletredpalevioletredindianreddarkredorangeredUndefinedconnect_to_namedFrame setup faileddecode image failedbase64 decode failedInvalid sRGB rendering intent specifiedInvalid number of transparent colors specifiedInvalid number of histogram entries specifiedInvalid sBIT depth specifiedInvalid image color type specifiedInvalid filter type specifiedInvalid compression type specifiedInvalid interlace type specifiedfaded--add" could not be used with direct write, using gdi instead
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --launch-or-new-window: Only open a new window if the application is open
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: -a or --add: Add folders to the current window
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: -h or --help: Show help (this message) and exit
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: -h or --help: Show help (this message) and exit

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PROFOMA INVOICE-2024-0419 .exe

Static file information: File size 3473984 > 1048576

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: 8cb03cfb-750e-41f5-9111-95ff37f34e9b<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedNlswidup.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources% source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb( source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /home/jskinner/.release_build/build/gn/lto_win_x64/subl.pdb source: PROFOMA INVOICE-2024-0419 .exe
Source:	Binary string: costura.dotnetzip.pdb.compressed2 source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: PROFOMA INVOICE-2024-0419 .exe, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b440000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.133f2340.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274703681.000000001B440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROFOMA INVOICE-2024-0419 .exe PID: 5572, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: 0xA913349D [Fri Nov 21 02:42:37 2059 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Code function: 0_2_00007FF848F21A90 pushad ; ret		0_2_00007FF848F21BB1
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Code function: 0_2_00007FF848F21AF3 pushad ; ret		0_2_00007FF848F21BB1

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: section name: .text entropy: 7.9991319058900325

Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	High entropy of concatenated method names: 'QVyRihSDS5H9jEYh93B', 'rIxvRZSmOcoYwCEo9h1', 'P41WUD6gFP', 'M3pVQ4Star4TvYTcBRY', 'DbQxYqSGeLWOM0dLMl0', 'p8IGGqSBcV80qv4F7je', 'EW24ukSNv7oeS2ysydx', 'GmU6wlSwtdRHUjRI8w8', 'HTvqHMSrP8gx9ChqmWj', 'dbNRv1SROqdmOku1Il3'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'AWrNtO9IxrcwrTSBRUJ'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, alfaphWjcdsBgJhWXq2.cs	High entropy of concatenated method names: 'd0wM2IfUn1', 'S5nMZOiRQp', 'hnIMIAqHZJ', 'XKSMvmH4u6', 'jHBM0lYUuD', 'BOKMCjA5gV', 'LnUMqWlwOD', 'T4AegrgQKX', 'lojMxvltcR', 'XXjM9kJpeY'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, RPaZPHW33lAsijJP1L4.cs	High entropy of concatenated method names: 'BdjWwdcH5c', 'b3hWrTD0Pq', 'YsgWRuRRMZ', 'U5TWTB0kCj', 'MwGWl7gf3y', 'ootWYOEj8w', 'etYWc6bpSu', 'CtvWo7FTBw', 'dMGWQgZ0XV', 'zNyWJcKWLI'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, eIheL0QOjKp3BVsrm4.cs	High entropy of concatenated method names: 'V8mjGUqk8', 'RbqzWXDb8', 'sJI5aYe2DA', 'DSB55NUV5T', 'd0k5pIYZ3R', 'NHC5VObwvf', 'NrV5F2t3jU', 'Tq35OubvSW', 'ksI5bfIpJM', 'KLl5dW3Rj7'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	High entropy of concatenated method names: 'QVyRihSDS5H9jEYh93B', 'rIxvRZSmOcoYwCEo9h1', 'P41WUD6gFP', 'M3pVQ4Star4TvYTcBRY', 'DbQxYqSGeLWOM0dLMl0', 'p8IGGqSBcV80qv4F7je', 'EW24ukSNv7oeS2ysydx', 'GmU6wlSwtdRHUjRI8w8', 'HTvqHMSrP8gx9ChqmWj', 'dbNRv1SROqdmOku1Il3'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'AWrNtO9IxrcwrTSBRUJ'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, alfaphWjcdsBgJhWXq2.cs	High entropy of concatenated method names: 'd0wM2IfUn1', 'S5nMZOiRQp', 'hnIMIAqHZJ', 'XKSMvmH4u6', 'jHBM0lYUuD', 'BOKMCjA5gV', 'LnUMqWlwOD', 'T4AegrgQKX', 'lojMxvltcR', 'XXjM9kJpeY'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, RPaZPHW33lAsijJP1L4.cs	High entropy of concatenated method names: 'BdjWwdcH5c', 'b3hWrTD0Pq', 'YsgWRuRRMZ', 'U5TWTB0kCj', 'MwGWl7gf3y', 'ootWYOEj8w', 'etYWc6bpSu', 'CtvWo7FTBw', 'dMGWQgZ0XV', 'zNyWJcKWLI'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, eIheL0QOjKp3BVsrm4.cs	High entropy of concatenated method names: 'V8mjGUqk8', 'RbqzWXDb8', 'sJI5aYe2DA', 'DSB55NUV5T', 'd0k5pIYZ3R', 'NHC5VObwvf', 'NrV5F2t3jU', 'Tq35OubvSW', 'ksI5bfIpJM', 'KLl5dW3Rj7'

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@E

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Memory allocated: 28A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Memory allocated: 1AB70000 memory reserve \| memory write watch			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: E2FrFadU1HgFSGp3yyp
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen2
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0Microsoft\|VMWare\|Virtual
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3275059500.000000001B80D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual

Enables debug privileges

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Queries volume information: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
150.114.84.125	pukrilug.duckdns.org	United States		2516	KDDIKDDICORPORATIONJP	true

Contacted Domains

Name	IP	Active
pukrilug.duckdns.org	150.114.84.125	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PROFOMA INVOICE-2024-0419 .exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PROFOMA INVOICE-2024-0419 .exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: PROFOMA INVOICE-2024-0419 .exe

Joe Sandbox ML: detected

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: 8cb03cfb-750e-41f5-9111-95ff37f34e9b<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedNlswidup.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources% source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb( source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /home/jskinner/.release_build/build/gn/lto_win_x64/subl.pdb source: PROFOMA INVOICE-2024-0419 .exe
Source:	Binary string: costura.dotnetzip.pdb.compressed2 source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: pukrilug.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 150.114.84.125:7702

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: KDDIKDDICORPORATIONJP KDDIKDDICORPORATIONJP

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pukrilug.duckdns.org

Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

.NET source code contains very large array initializations

Source: PROFOMA INVOICE-2024-0419 .exe, Program.cs

Large array initialization: Main: array initializer size 851020

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PROFOMA INVOICE-2024-0419 .exe

Detected potential crypto function

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Code function: 0_2_00007FF848FD1C41

0_2_00007FF848FD1C41

Sample file is different than original file name gathered from version info

Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNlswidup.dll" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000000.2028015937.00000000006B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEgttcbp.exe" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNlswidup.dll" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNlswidup.dll" vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PROFOMA INVOICE-2024-0419 .exe
Source: PROFOMA INVOICE-2024-0419 .exe	Binary or memory string: OriginalFilenameEgttcbp.exe" vs PROFOMA INVOICE-2024-0419 .exe

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Mutant created: NULL
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Mutant created: \Sessions\1\BaseNamedObjects\3773f709858a89ca

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PROFOMA INVOICE-2024-0419 .exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PROFOMA INVOICE-2024-0419 .exe

ReversingLabs: Detection: 57%

Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --launch-or-new-window
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: bodycy--staysgibrightgraysgiverylightgraysgilightgraysgimediumgraydimgraysgiverydarkgraysgidarkgraylightslategraydarkslategrayoverlaykOverlaydisplayposition.ypxtexture_boxsand boxUnixSkPixelRef::lockPixelsMutexaccent_tint_indexInvalid background palette index/IndexwbxPackages/Rails/Ruby on Rails.sublime-syntaxPackages/Rails/Ruby Haml.sublime-syntaxPackages/ASP/HTML-ASP.sublime-syntaxPackages/JavaScript/JSON.sublime-syntaxPackages/JSON/JSON.sublime-syntaxPackages/Rails/HAML.sublime-syntaxPackages/Rails/Ruby (Rails).sublime-syntaxPackages/Java/Java Server Pages (JSP).sublime-syntaxPackages/Java/HTML (JSP).sublime-syntaxPackages/ASP/HTML (ASP).sublime-syntax#%02x%02x%02x<dt>Color:</dt><dd>0xSkModeColorFilter: color: 0xposition.xswrwsk_throwtable_rowtree_rowUninitialized rowsnowlightyellowgreenyellowlightgoldenrodyellowannotation_popup_windowhtml_popup_windowauto_complete_window--launch-or-new-window--new-windowright_shadowleft_shadowtop_shadowbottom_shadowwarm shadowLowhoneydewsvlvgvperuqulukuiuhugueuLu
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: /Installed Packages
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: classkeyword length must be 1 - 79 characterspspatternscannot parse partitionszh-Hanssmstoo many length or distance symbolsWidth is too large for libpng to process pixelsToo much data in IDAT chunksisinvalid stored block lengthsbad code lengthssettingsgray cliffspearly gatescapturesbeginCapturesendCaptures/resfileTypesexcludeTrailingNewlinesTimesValid palette required for paletted images/Packages/Installed Packagestoo many codescsbsConsolasAntiAliasMissing IHDR before pHYsMissing IHDR before oFFsApplication was compiled with png.h from libpng-%.20sApplication is running with png.c from libpng-%.20s%s:%-3d %slibpng error: %slibpng warning: %s mode: %sconvolveAlpha: %srrect-blurrects-blurtrsrfilter_font_descriptorbad Image DescriptorInvalid operatorzlib failed to initialize compressormirrorzlib memory errorbuffer errorunknown errorUnknown errorzlib version errorzlib failed to initialize compressor -- version errorzlib failed to initialize compressor -- mem errorzlib failed to initialize compressor -- stream errorUnknown zlib errorCRC errorNo ErrorDecompression ErrorWrite ErrorParse ErrorRead Errorshadow_colorviewport_colorborder_colorlink_colormonospace_colormonospace_background_colorborder-right-colorborder-left-colorborder-colorborder-top-colorborder-bottom-colorbackground-colorOverrideColorkXormr
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --help
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --help
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: brvarregular RegularSkArithmeticMode_scalarkClearsq!q../../../third_party/skia/src/ports/SkFontMgr_win_dw.cpp../../../third_party/skia/src/ports/SkTypeface_win_dw.cpp../../../third_party/skia/src/core/SkDraw.cpp../../../third_party/skia/src/core/SkBitmapController.cpp../../../third_party/skia/src/images/SkPNGImageEncoder.cpp../../../third_party/skia/src/core/SkRasterClip.cpp../../../third_party/skia/src/core/SkAAClip.cpp../../../third_party/skia/src/core/SkMipMap.cpp../../../third_party/skia/src/core/SkPath.cpp../../../third_party/skia/src/core/SkPathMeasure.cpp../../../third_party/skia/src/core/SkLinearBitmapPipeline.cpp../../../third_party/skia/src/core/SkDevice.cpp../../../third_party/skia/src/core/SkTextBlob.cpp../../../third_party/skia/src/core/SkData.cpp../../../third_party/skia/src/core/SkBlitter_ARGB32.cppborder-topmargin-toppadding-topkDstATopkSrcATop.%x%d.tmpclamp--helppapayawhipnowrapbitmapmipmaptab_overlap%ptomatosogainsboroSetting negative gamma to zeroZeromolokoindigofoeoborosybrownsandybrownsaddlebrownaz-Latnjv-Latnsu-Latnms-LatnkColorBurnfar horizontab_close_buttoncrimsonmaroonlightsalmondarksalmonsgisalmonUnknown exceptioninvalid string positionCall to NULL write functionCall to NULL read functionsaturationSaturationtext-decorationInvalid OperationsymbolIndexTransformationsymbolTransformationkExclusion/Options/Session.sublime-sessionPNG file corrupted by ASCII conversion--versionlemonchiffonnnknmoccasinultrathinultra-thinultra thinbox_margincontent_margininner_marginbeginplainAttempted to set both read_data_fn and write_data_fn intext-alignkLightenlinenbad SOS lenbad DNL lenkDarkenInvalid tokenyellowgreenforestgreenlightgreenlawngreendarkgreenmediumspringgreendarkolivegreenlimegreenpalegreenlightseagreenmediumseagreendarkseagreenkScreenhiddenbnlightcyandarkcyancarmel tanromankDstInkSrcInplummediumMediumIgnoreTransformIgnoreXformborder-bottommargin-bottompadding-bottomkmmax_margin_trimsystemlist-itemremoutofmem
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: brvarregular RegularSkArithmeticMode_scalarkClearsq!q../../../third_party/skia/src/ports/SkFontMgr_win_dw.cpp../../../third_party/skia/src/ports/SkTypeface_win_dw.cpp../../../third_party/skia/src/core/SkDraw.cpp../../../third_party/skia/src/core/SkBitmapController.cpp../../../third_party/skia/src/images/SkPNGImageEncoder.cpp../../../third_party/skia/src/core/SkRasterClip.cpp../../../third_party/skia/src/core/SkAAClip.cpp../../../third_party/skia/src/core/SkMipMap.cpp../../../third_party/skia/src/core/SkPath.cpp../../../third_party/skia/src/core/SkPathMeasure.cpp../../../third_party/skia/src/core/SkLinearBitmapPipeline.cpp../../../third_party/skia/src/core/SkDevice.cpp../../../third_party/skia/src/core/SkTextBlob.cpp../../../third_party/skia/src/core/SkData.cpp../../../third_party/skia/src/core/SkBlitter_ARGB32.cppborder-topmargin-toppadding-topkDstATopkSrcATop.%x%d.tmpclamp--helppapayawhipnowrapbitmapmipmaptab_overlap%ptomatosogainsboroSetting negative gamma to zeroZeromolokoindigofoeoborosybrownsandybrownsaddlebrownaz-Latnjv-Latnsu-Latnms-LatnkColorBurnfar horizontab_close_buttoncrimsonmaroonlightsalmondarksalmonsgisalmonUnknown exceptioninvalid string positionCall to NULL write functionCall to NULL read functionsaturationSaturationtext-decorationInvalid OperationsymbolIndexTransformationsymbolTransformationkExclusion/Options/Session.sublime-sessionPNG file corrupted by ASCII conversion--versionlemonchiffonnnknmoccasinultrathinultra-thinultra thinbox_margincontent_margininner_marginbeginplainAttempted to set both read_data_fn and write_data_fn intext-alignkLightenlinenbad SOS lenbad DNL lenkDarkenInvalid tokenyellowgreenforestgreenlightgreenlawngreendarkgreenmediumspringgreendarkolivegreenlimegreenpalegreenlightseagreenmediumseagreendarkseagreenkScreenhiddenbnlightcyandarkcyancarmel tanromankDstInkSrcInplummediumMediumIgnoreTransformIgnoreXformborder-bottommargin-bottompadding-bottomkmmax_margin_trimsystemlist-itemremoutofmem
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --add
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: idgdAutohintedIgnoring extra png_read_update_info() call; row buffer not reallocatedmediumvioletredpalevioletredindianreddarkredorangeredUndefinedconnect_to_namedFrame setup faileddecode image failedbase64 decode failedInvalid sRGB rendering intent specifiedInvalid number of transparent colors specifiedInvalid number of histogram entries specifiedInvalid sBIT depth specifiedInvalid image color type specifiedInvalid filter type specifiedInvalid compression type specifiedInvalid interlace type specifiedfaded--add" could not be used with direct write, using gdi instead
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: --launch-or-new-window: Only open a new window if the application is open
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: -a or --add: Add folders to the current window
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: -h or --help: Show help (this message) and exit
Source: PROFOMA INVOICE-2024-0419 .exe	String found in binary or memory: -h or --help: Show help (this message) and exit

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PROFOMA INVOICE-2024-0419 .exe

Static file information: File size 3473984 > 1048576

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: 8cb03cfb-750e-41f5-9111-95ff37f34e9b<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedNlswidup.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources% source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nlswidup.pdb( source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @costura.dotnetzip.pdb.compressed source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /home/jskinner/.release_build/build/gn/lto_win_x64/subl.pdb source: PROFOMA INVOICE-2024-0419 .exe
Source:	Binary string: costura.dotnetzip.pdb.compressed2 source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: PROFOMA INVOICE-2024-0419 .exe, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.28c0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b440000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.133f2340.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274703681.000000001B440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROFOMA INVOICE-2024-0419 .exe PID: 5572, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: 0xA913349D [Fri Nov 21 02:42:37 2059 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Code function: 0_2_00007FF848F21A90 pushad ; ret		0_2_00007FF848F21BB1
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Code function: 0_2_00007FF848F21AF3 pushad ; ret		0_2_00007FF848F21BB1

Source: PROFOMA INVOICE-2024-0419 .exe

Static PE information: section name: .text entropy: 7.9991319058900325

Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	High entropy of concatenated method names: 'QVyRihSDS5H9jEYh93B', 'rIxvRZSmOcoYwCEo9h1', 'P41WUD6gFP', 'M3pVQ4Star4TvYTcBRY', 'DbQxYqSGeLWOM0dLMl0', 'p8IGGqSBcV80qv4F7je', 'EW24ukSNv7oeS2ysydx', 'GmU6wlSwtdRHUjRI8w8', 'HTvqHMSrP8gx9ChqmWj', 'dbNRv1SROqdmOku1Il3'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'AWrNtO9IxrcwrTSBRUJ'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, alfaphWjcdsBgJhWXq2.cs	High entropy of concatenated method names: 'd0wM2IfUn1', 'S5nMZOiRQp', 'hnIMIAqHZJ', 'XKSMvmH4u6', 'jHBM0lYUuD', 'BOKMCjA5gV', 'LnUMqWlwOD', 'T4AegrgQKX', 'lojMxvltcR', 'XXjM9kJpeY'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, RPaZPHW33lAsijJP1L4.cs	High entropy of concatenated method names: 'BdjWwdcH5c', 'b3hWrTD0Pq', 'YsgWRuRRMZ', 'U5TWTB0kCj', 'MwGWl7gf3y', 'ootWYOEj8w', 'etYWc6bpSu', 'CtvWo7FTBw', 'dMGWQgZ0XV', 'zNyWJcKWLI'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, eIheL0QOjKp3BVsrm4.cs	High entropy of concatenated method names: 'V8mjGUqk8', 'RbqzWXDb8', 'sJI5aYe2DA', 'DSB55NUV5T', 'd0k5pIYZ3R', 'NHC5VObwvf', 'NrV5F2t3jU', 'Tq35OubvSW', 'ksI5bfIpJM', 'KLl5dW3Rj7'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, rn2hy1KD9WvlWJ206dY.cs	High entropy of concatenated method names: 'QVyRihSDS5H9jEYh93B', 'rIxvRZSmOcoYwCEo9h1', 'P41WUD6gFP', 'M3pVQ4Star4TvYTcBRY', 'DbQxYqSGeLWOM0dLMl0', 'p8IGGqSBcV80qv4F7je', 'EW24ukSNv7oeS2ysydx', 'GmU6wlSwtdRHUjRI8w8', 'HTvqHMSrP8gx9ChqmWj', 'dbNRv1SROqdmOku1Il3'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'AWrNtO9IxrcwrTSBRUJ'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, alfaphWjcdsBgJhWXq2.cs	High entropy of concatenated method names: 'd0wM2IfUn1', 'S5nMZOiRQp', 'hnIMIAqHZJ', 'XKSMvmH4u6', 'jHBM0lYUuD', 'BOKMCjA5gV', 'LnUMqWlwOD', 'T4AegrgQKX', 'lojMxvltcR', 'XXjM9kJpeY'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, RPaZPHW33lAsijJP1L4.cs	High entropy of concatenated method names: 'BdjWwdcH5c', 'b3hWrTD0Pq', 'YsgWRuRRMZ', 'U5TWTB0kCj', 'MwGWl7gf3y', 'ootWYOEj8w', 'etYWc6bpSu', 'CtvWo7FTBw', 'dMGWQgZ0XV', 'zNyWJcKWLI'
Source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, eIheL0QOjKp3BVsrm4.cs	High entropy of concatenated method names: 'V8mjGUqk8', 'RbqzWXDb8', 'sJI5aYe2DA', 'DSB55NUV5T', 'd0k5pIYZ3R', 'NHC5VObwvf', 'NrV5F2t3jU', 'Tq35OubvSW', 'ksI5bfIpJM', 'KLl5dW3Rj7'

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@E

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Memory allocated: 28A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe	Memory allocated: 1AB70000 memory reserve \| memory write watch			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: E2FrFadU1HgFSGp3yyp
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen2
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0Microsoft\|VMWare\|Virtual
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3275059500.000000001B80D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual

Enables debug privileges

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Queries volume information: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.1b330000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12ec8c28.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e88bf0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.12e68bb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFOMA INVOICE-2024-0419 .exe.13248cd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274205812.000000001B330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3271394645.0000000012B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	1428857
Product:	CloudBasic
Start time:	18:13:05
Start date:	19.04.2024
Sample:	PROFOMA INVOICE-2024-0419 .exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e67096a9183b74fbe73ac6ca18d56399
SHA1:	ffef2a71110febbd27a8de341dacbbdc5b601368
SHA256:	5f62afbd7dfbf7b9a6727b6ba3809d10bb491fe13361ec598628354926cc4762
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report
PROFOMA INVOICE-2024-0419 .exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report PROFOMA INVOICE-2024-0419 .exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
PROFOMA INVOICE-2024-0419 .exe