Windows Analysis Report
https://eshoradebitcoin.com/3.dat

Overview

General Information

Sample URL:	https://eshoradebitcoin.com/3.dat
Analysis ID:	1429002
Infos:

Detection

PureLog Stealer, zgRAT

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected PureLog Stealer

Yara detected zgRAT

Machine Learning detection for dropped file

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Downloads\3.dat.crdownload	Avira: detection malicious, Label: TR/Dropper.Gen
Source: /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61	Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\3.dat (copy)	ReversingLabs: Detection: 87%
Source: C:\Users\user\Downloads\3.dat.crdownload	ReversingLabs: Detection: 87%
Source: Chrome Cache Entry: 61	ReversingLabs: Detection: 87%

Machine Learning detection for dropped file

Source: C:\Users\user\Downloads\3.dat.crdownload	Joe Sandbox ML: detected
Source: /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61	Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49715 version: TLS 1.2

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /3.dat HTTP/1.1Host: eshoradebitcoin.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: eshoradebitcoin.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713568951032&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49715 version: TLS 1.2

PE file does not import any functions

Source: ab6c8f49-01ae-497c-a189-3be0203beff6.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: ab6c8f49-01ae-497c-a189-3be0203beff6.tmp.0.dr

Static PE information: Data appended to the last section found

Source: 3.dat.crdownload.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: chromecache_61.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.win@18/11@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eshoradebitcoin.com/3.dat"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 3.dat.crdownload.0.dr	Static PE information: section name: .text entropy: 7.743688791524453
Source: chromecache_61.2.dr	Static PE information: section name: .text entropy: 7.743688791524453

Drops PE files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\3.dat.crdownload	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 61	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\ab6c8f49-01ae-497c-a189-3be0203beff6.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\3.dat (copy)	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 61
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 61			Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: 3.dat.crdownload.0.dr, chromecache_61.2.dr	Binary or memory string: AilOgfBfMfOHEGniCcN.kmLJbnBRHGr3PRMqMOc+xfaiMJ1LKHgFS5Jr3j0+I6K0ZZ1iJX3hE6vOgRe`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
Source: 3.dat.crdownload.0.dr, chromecache_61.2.dr	Binary or memory string: xfaiMJ1LKHgFS5Jr3j0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
78.24.180.93	eshoradebitcoin.com	Russian Federation	35377	TRN-TELECOM-ASRU	false
172.253.124.147	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
eshoradebitcoin.com	78.24.180.93	true
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.50.36	true
www.google.com	172.253.124.147	true
fp2e7a.wpc.phicdn.net	192.229.211.108	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://eshoradebitcoin.com/3.dat	false		unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Downloads\3.dat.crdownload	Avira: detection malicious, Label: TR/Dropper.Gen
Source: /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61	Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\3.dat (copy)	ReversingLabs: Detection: 87%
Source: C:\Users\user\Downloads\3.dat.crdownload	ReversingLabs: Detection: 87%
Source: Chrome Cache Entry: 61	ReversingLabs: Detection: 87%

Machine Learning detection for dropped file

Source: C:\Users\user\Downloads\3.dat.crdownload	Joe Sandbox ML: detected
Source: /opt/package/joesandbox/database/analysis/1429002/temp/droppedscan/chromecache_61	Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49715 version: TLS 1.2

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /3.dat HTTP/1.1Host: eshoradebitcoin.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: eshoradebitcoin.com

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49715 version: TLS 1.2

PE file does not import any functions

Source: ab6c8f49-01ae-497c-a189-3be0203beff6.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: ab6c8f49-01ae-497c-a189-3be0203beff6.tmp.0.dr

Static PE information: Data appended to the last section found

Source: 3.dat.crdownload.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: chromecache_61.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.win@18/11@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eshoradebitcoin.com/3.dat"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1992,i,2771170727428028237,18400158983486350545,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 3.dat.crdownload.0.dr	Static PE information: section name: .text entropy: 7.743688791524453
Source: chromecache_61.2.dr	Static PE information: section name: .text entropy: 7.743688791524453

Drops PE files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\3.dat.crdownload	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 61	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\ab6c8f49-01ae-497c-a189-3be0203beff6.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\3.dat (copy)	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 61
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 61			Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: 3.dat.crdownload.0.dr, chromecache_61.2.dr	Binary or memory string: AilOgfBfMfOHEGniCcN.kmLJbnBRHGr3PRMqMOc+xfaiMJ1LKHgFS5Jr3j0+I6K0ZZ1iJX3hE6vOgRe`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
Source: 3.dat.crdownload.0.dr, chromecache_61.2.dr	Binary or memory string: xfaiMJ1LKHgFS5Jr3j0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\Downloads\3.dat.crdownload, type: DROPPED
Source: Yara match	File source: dropped/chromecache_61, type: DROPPED

ID:	1429002
Product:	CloudBasic
Start time:	01:21:57
Start date:	20.04.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	2F7F3CBE26F8F123D8CE2C143A1E0E83	CAFE33BF3198E6236390E1774B46C207D336228F	062DB634F873ABAE711AA6EBD7D2251DF744232D043912B4692D3029302E0101
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	49F85D6EDE969C503CD8D7DB59A79367	0F5ECEDF7B675E82E71DADA32B0FA51DD2C00878	1576EBE0028778604B449F0697F5D93E7EB427344FCBAD37D6E6A8DB271B09CF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	52210EC4608EE6DFF00021BA96E04B5F	4A82D73FCDD6ABB4F699FA134ED3CEE46B8F783B	D9AD242CDD6257BE5E160B7FBAA6E61E123A21BBADDB18ECC9FD9E6F840E0A64
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	05DDC2F969D2F4A9E8559B9238FD383D	230907B440125C39E0B9992E9DAA84FF6A51BA3E	99F9FDC09756B13A7EF9D9C0F84F39A018EAAC7A48B70AAAA8DF372B359E03F3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	E716A68C513A3C12AF63DC20DE617B84	FE0B97FFEE4DFCC6331C55208042539F11BB1360	EE66062B93CD535EEBF0A229278C4B02AB00654C49DF82FF543AEA4C4E43859B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 22:22:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	9BFE233EF9734EC6A2034F4BE2642F3E	458B1149CA48D7C3C4BA17BB510FCAA7E4DCC56B	690446C0662AF84EE5A1058D3B67918B9FF2B5DE04FE3F810A81CED20610926B
C:\Users\user\Downloads\3.dat (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B68CED78E1348DE3AF3FB2052AA4F1A1	C974C8857A1AECBA0347280C3F6EFF561A2F3FB5	C829BE0E78641329583DE11672027A67CB3FC2BA31059E258A87001953B8F4AC
C:\Users\user\Downloads\3.dat.crdownload	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B68CED78E1348DE3AF3FB2052AA4F1A1	C974C8857A1AECBA0347280C3F6EFF561A2F3FB5	C829BE0E78641329583DE11672027A67CB3FC2BA31059E258A87001953B8F4AC
C:\Users\user\Downloads\ab6c8f49-01ae-497c-a189-3be0203beff6.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	093086E5281EB4F794DBA81AE29C8D44	0880AFE9FEE361A25276C5684BDC0D72205DEC12	5A133E22D7BFFFBB2D4662DEB9B08704244814589CA74BF46624528F9BE3EE83
Chrome Cache Entry: 61	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B68CED78E1348DE3AF3FB2052AA4F1A1	C974C8857A1AECBA0347280C3F6EFF561A2F3FB5	C829BE0E78641329583DE11672027A67CB3FC2BA31059E258A87001953B8F4AC

Windows Analysis Report
https://eshoradebitcoin.com/3.dat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://eshoradebitcoin.com/3.dat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://eshoradebitcoin.com/3.dat

Malware Threat Intel
Provided by