Windows Analysis Report
responsibilityleadpro.exe

Overview

General Information

Sample name:	responsibilityleadpro.exe
Analysis ID:	1430809
MD5:	4534f7a174eae348bbab2b8f825c6789
SHA1:	f26853dc188650e619d152e9e6cc4c670a2000c8
SHA256:	11cdeed6025daa716961f06ea3b1820270c21a0e5c633c91dc8b547b753c8681
Tags:	exe
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CredGrabber

Yara detected Meduza Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: responsibilityleadpro.exe	ReversingLabs: Detection: 23%
Source: responsibilityleadpro.exe	Virustotal: Detection: 27%			Perma Link

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: responsibilityleadpro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D2FEA0 FindFirstFileExW,

0_2_00007FF6D1D2FEA0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 109.107.181.83:15666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 109.107.181.83 109.107.181.83

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy0
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0/ti
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0/ti?
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh0
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adoraw-se
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adoraw-se0
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/0
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/LwH
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplacVf
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.n
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.moz
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/sta
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: responsibilityleadpro.exe, 00000000.00000003.2020798326.000001D73D9A4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C920000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C75D000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C765000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CAC3000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CABB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E8000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D638000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C928000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarket
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: responsibilityleadpro.exe, 00000000.00000003.2020798326.000001D73D9A4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C920000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C75D000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C765000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CAC3000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CABB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E8000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D638000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C928000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: responsibilityleadpro.exe, 00000000.00000003.2022099590.000001D73E049000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CACB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C92F000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9EF000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: responsibilityleadpro.exe, 00000000.00000003.2022099590.000001D73E049000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CACB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C92F000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9EF000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: responsibilityleadpro.exe, 00000000.00000003.2022099590.000001D73E049000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CACB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C92F000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9EF000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2272286080.000001D73C000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C060F6D NtOpenDirectoryObject,	0_2_000001D73C060F6D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C061039 NtOpenDirectoryObject,NtOpenDirectoryObject,	0_2_000001D73C061039
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C06210D NtReleaseMutant,NtReleaseMutant,	0_2_000001D73C06210D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C062A1D NtResumeThread,NtOpenProcessTokenEx,CreateActCtxA,NtReleaseMutant,NtEnumerateKey,NtOpenProcessTokenEx,NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,RtlAddFunctionTable,	0_2_000001D73C062A1D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C060E6F NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,	0_2_000001D73C060E6F
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C060DD1 NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,	0_2_000001D73C060DD1

Detected potential crypto function

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3DEC7	0_2_00007FF6D1C3DEC7
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C32AE6	0_2_00007FF6D1C32AE6
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C37B04	0_2_00007FF6D1C37B04
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C335	0_2_00007FF6D1C3C335
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C36720	0_2_00007FF6D1C36720
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2FEA0	0_2_00007FF6D1D2FEA0
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C31A92	0_2_00007FF6D1C31A92
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C33DE7	0_2_00007FF6D1C33DE7
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3A586	0_2_00007FF6D1C3A586
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3B1AA	0_2_00007FF6D1C3B1AA
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C314FA	0_2_00007FF6D1C314FA
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C34103	0_2_00007FF6D1C34103
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3B8C6	0_2_00007FF6D1C3B8C6
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3D8D1	0_2_00007FF6D1C3D8D1
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D278B8	0_2_00007FF6D1D278B8
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2E4D0	0_2_00007FF6D1D2E4D0
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2788A	0_2_00007FF6D1D2788A
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C839	0_2_00007FF6D1C3C839
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3BC5A	0_2_00007FF6D1C3BC5A
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3A85E	0_2_00007FF6D1C3A85E
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C819	0_2_00007FF6D1C3C819
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C7D5	0_2_00007FF6D1C3C7D5
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C3BC	0_2_00007FF6D1C3C3BC
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D367B8	0_2_00007FF6D1D367B8
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C33FEC	0_2_00007FF6D1C33FEC
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3D7EB	0_2_00007FF6D1C3D7EB
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C33F93	0_2_00007FF6D1C33F93
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C32B76	0_2_00007FF6D1C32B76
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D27737	0_2_00007FF6D1D27737
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3DB74	0_2_00007FF6D1C3DB74
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C34358	0_2_00007FF6D1C34358
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C062A1D	0_2_000001D73C062A1D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C0611D5	0_2_000001D73C0611D5
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C0625E5	0_2_000001D73C0625E5
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C28EFEF	0_2_000001D73C28EFEF
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2901C0	0_2_000001D73C2901C0
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C290E1B	0_2_000001D73C290E1B
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C285665	0_2_000001D73C285665
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2910A8	0_2_000001D73C2910A8
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C315884	0_2_000001D73C315884
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C28CED8	0_2_000001D73C28CED8

Sample file is different than original file name gathered from version info

Source: responsibilityleadpro.exe	Binary or memory string: OriginalFilename vs responsibilityleadpro.exe
Source: responsibilityleadpro.exe, 00000000.00000000.1988606476.00007FF6D1DFE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAsbestosis anna4 vs responsibilityleadpro.exe
Source: responsibilityleadpro.exe	Binary or memory string: OriginalFilenameAsbestosis anna4 vs responsibilityleadpro.exe

Yara signature match

Source: 00000000.00000002.2272286080.000001D73C000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal88.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E696384F19BAF

Source: responsibilityleadpro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: responsibilityleadpro.exe	ReversingLabs: Detection: 23%
Source: responsibilityleadpro.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: responsibilityleadpro.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: responsibilityleadpro.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: responsibilityleadpro.exe

Static file information: File size 1936896 > 1048576

Source: responsibilityleadpro.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117000

Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: responsibilityleadpro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: responsibilityleadpro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: responsibilityleadpro.exe

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1DFE150 push rax; iretd	0_2_00007FF6D1DFE15D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2901C0 push cs; retf	0_2_000001D73C290E19
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2885C4 push edx; ret	0_2_000001D73C2885DE

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D2FEA0 FindFirstFileExW,

0_2_00007FF6D1D2FEA0

Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPbp:
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D29A54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6D1D29A54

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D329C0 GetProcessHeap,

0_2_00007FF6D1D329C0

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D29A54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D1D29A54
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D36D78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D1D36D78
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2F45C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D1D2F45C
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D29C34 SetUnhandledExceptionFilter,	0_2_00007FF6D1D29C34

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D36600 cpuid

0_2_00007FF6D1D36600

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries time zone information

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D29914 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D1D29914

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: responsibilityleadpro.exe, 00000000.00000003.2057911704.000001D73FE26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
109.107.181.83	unknown	Russian Federation		49973	TELEPORT-TV-ASRU	false

Contacted Domains

Name	IP	Active
api.ipify.org	104.26.12.205	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: responsibilityleadpro.exe	ReversingLabs: Detection: 23%
Source: responsibilityleadpro.exe	Virustotal: Detection: 27%			Perma Link

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: responsibilityleadpro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D2FEA0 FindFirstFileExW,

0_2_00007FF6D1D2FEA0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 109.107.181.83:15666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 109.107.181.83 109.107.181.83

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.83

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy0
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0/ti
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0/ti?
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh0
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adoraw-se
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adoraw-se0
Source: responsibilityleadpro.exe, 00000000.00000003.2271355167.000001D73D3C4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271329633.000001D73D3C0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2271422110.000001D73D3C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/
Source: responsibilityleadpro.exe, 00000000.00000003.2013426261.000001D73D3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/0
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/LwH
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplacVf
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.n
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.moz
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/sta
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: responsibilityleadpro.exe, 00000000.00000003.2020798326.000001D73D9A4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C920000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C75D000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C765000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CAC3000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CABB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E8000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D638000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C928000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: responsibilityleadpro.exe, 00000000.00000002.2272128417.000001D73A70C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2269437821.000001D73A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarket
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: responsibilityleadpro.exe, 00000000.00000003.2024346889.000001D73D77D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: responsibilityleadpro.exe, 00000000.00000003.2015446547.000001D73D60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: responsibilityleadpro.exe, 00000000.00000003.2020798326.000001D73D9A4000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C920000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C75D000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C765000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CAC3000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CABB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E8000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D638000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9E0000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C928000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023440662.000001D73D630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: responsibilityleadpro.exe, 00000000.00000003.2022099590.000001D73E049000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CACB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C92F000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9EF000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: responsibilityleadpro.exe, 00000000.00000003.2022099590.000001D73E049000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CACB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C92F000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9EF000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: responsibilityleadpro.exe, 00000000.00000003.2022099590.000001D73E049000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CACB000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023181274.000001D73C92F000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73C9EF000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2023370400.000001D73C76C000.00000004.00000020.00020000.00000000.sdmp, responsibilityleadpro.exe, 00000000.00000003.2019851039.000001D73CA47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2272286080.000001D73C000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C060F6D NtOpenDirectoryObject,	0_2_000001D73C060F6D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C061039 NtOpenDirectoryObject,NtOpenDirectoryObject,	0_2_000001D73C061039
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C06210D NtReleaseMutant,NtReleaseMutant,	0_2_000001D73C06210D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C062A1D NtResumeThread,NtOpenProcessTokenEx,CreateActCtxA,NtReleaseMutant,NtEnumerateKey,NtOpenProcessTokenEx,NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,RtlAddFunctionTable,	0_2_000001D73C062A1D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C060E6F NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,	0_2_000001D73C060E6F
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C060DD1 NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,NtOpenDirectoryObject,	0_2_000001D73C060DD1

Detected potential crypto function

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3DEC7	0_2_00007FF6D1C3DEC7
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C32AE6	0_2_00007FF6D1C32AE6
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C37B04	0_2_00007FF6D1C37B04
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C335	0_2_00007FF6D1C3C335
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C36720	0_2_00007FF6D1C36720
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2FEA0	0_2_00007FF6D1D2FEA0
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C31A92	0_2_00007FF6D1C31A92
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C33DE7	0_2_00007FF6D1C33DE7
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3A586	0_2_00007FF6D1C3A586
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3B1AA	0_2_00007FF6D1C3B1AA
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C314FA	0_2_00007FF6D1C314FA
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C34103	0_2_00007FF6D1C34103
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3B8C6	0_2_00007FF6D1C3B8C6
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3D8D1	0_2_00007FF6D1C3D8D1
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D278B8	0_2_00007FF6D1D278B8
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2E4D0	0_2_00007FF6D1D2E4D0
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2788A	0_2_00007FF6D1D2788A
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C839	0_2_00007FF6D1C3C839
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3BC5A	0_2_00007FF6D1C3BC5A
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3A85E	0_2_00007FF6D1C3A85E
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C819	0_2_00007FF6D1C3C819
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C7D5	0_2_00007FF6D1C3C7D5
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3C3BC	0_2_00007FF6D1C3C3BC
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D367B8	0_2_00007FF6D1D367B8
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C33FEC	0_2_00007FF6D1C33FEC
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3D7EB	0_2_00007FF6D1C3D7EB
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C33F93	0_2_00007FF6D1C33F93
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C32B76	0_2_00007FF6D1C32B76
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D27737	0_2_00007FF6D1D27737
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C3DB74	0_2_00007FF6D1C3DB74
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1C34358	0_2_00007FF6D1C34358
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C062A1D	0_2_000001D73C062A1D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C0611D5	0_2_000001D73C0611D5
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C0625E5	0_2_000001D73C0625E5
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C28EFEF	0_2_000001D73C28EFEF
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2901C0	0_2_000001D73C2901C0
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C290E1B	0_2_000001D73C290E1B
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C285665	0_2_000001D73C285665
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2910A8	0_2_000001D73C2910A8
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C315884	0_2_000001D73C315884
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C28CED8	0_2_000001D73C28CED8

Sample file is different than original file name gathered from version info

Source: responsibilityleadpro.exe	Binary or memory string: OriginalFilename vs responsibilityleadpro.exe
Source: responsibilityleadpro.exe, 00000000.00000000.1988606476.00007FF6D1DFE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAsbestosis anna4 vs responsibilityleadpro.exe
Source: responsibilityleadpro.exe	Binary or memory string: OriginalFilenameAsbestosis anna4 vs responsibilityleadpro.exe

Yara signature match

Source: 00000000.00000002.2272286080.000001D73C000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: classification engine

Classification label: mal88.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E696384F19BAF

Source: responsibilityleadpro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: responsibilityleadpro.exe	ReversingLabs: Detection: 23%
Source: responsibilityleadpro.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: responsibilityleadpro.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: responsibilityleadpro.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: responsibilityleadpro.exe

Static file information: File size 1936896 > 1048576

Source: responsibilityleadpro.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117000

Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: responsibilityleadpro.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: responsibilityleadpro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: responsibilityleadpro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: responsibilityleadpro.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: responsibilityleadpro.exe

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1DFE150 push rax; iretd	0_2_00007FF6D1DFE15D
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2901C0 push cs; retf	0_2_000001D73C290E19
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_000001D73C2885C4 push edx; ret	0_2_000001D73C2885DE

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D2FEA0 FindFirstFileExW,

0_2_00007FF6D1D2FEA0

Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPbp:
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D29A54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6D1D29A54

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D329C0 GetProcessHeap,

0_2_00007FF6D1D329C0

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D29A54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D1D29A54
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D36D78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D1D36D78
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D2F45C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D1D2F45C
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Code function: 0_2_00007FF6D1D29C34 SetUnhandledExceptionFilter,	0_2_00007FF6D1D29C34

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D36600 cpuid

0_2_00007FF6D1D36600

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries time zone information

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Code function: 0_2_00007FF6D1D29914 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D1D29914

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: responsibilityleadpro.exe, 00000000.00000003.2057911704.000001D73FE26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: responsibilityleadpro.exe, 00000000.00000002.2271957829.000001D73A66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\responsibilityleadpro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\responsibilityleadpro.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: responsibilityleadpro.exe PID: 3012, type: MEMORYSTR

ID:	1430809
Product:	CloudBasic
Start time:	08:20:09
Start date:	24.04.2024
Sample:	responsibilityleadpro.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4534f7a174eae348bbab2b8f825c6789
SHA1:	f26853dc188650e619d152e9e6cc4c670a2000c8
SHA256:	11cdeed6025daa716961f06ea3b1820270c21a0e5c633c91dc8b547b753c8681
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
responsibilityleadpro.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report responsibilityleadpro.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
responsibilityleadpro.exe