Windows Analysis Report
ciKdWsb5h4.exe

Overview

General Information

Sample name:	ciKdWsb5h4.exe renamed because original name is a hash value
Original sample name:	bd129b2710c1f8fa9aa98dcc35c5b6b9.exe
Analysis ID:	1431450
MD5:	bd129b2710c1f8fa9aa98dcc35c5b6b9
SHA1:	572034f781967e768d6d9b49de62217561538a45
SHA256:	62c2c1f7335ed8b0a2120b1cf42a4c55cae1869a0245bef10d51de037e0d7ddf
Tags:	32exe
Infos:

Detection

RedLine

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Installs new ROOT certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops certificate files (DER)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Found malware configuration

Source: ciKdWsb5h4.exe

Malware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Multi AV Scanner detection for domain / URL

Source: 103.113.70.99:2630

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Source: ciKdWsb5h4.exe	ReversingLabs: Detection: 83%
Source: ciKdWsb5h4.exe	Virustotal: Detection: 76%			Perma Link

Uses 32bit PE files

Source: ciKdWsb5h4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ciKdWsb5h4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb9 source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.0000000000791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb' source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924252741.0000000005E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.0000000000791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdba source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 103.113.70.99:2630

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.113.70.99 103.113.70.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN

Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99

Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: ciKdWsb5h4.exe	String found in binary or memory: https://api.ip.sb/ip

Drops certificate files (DER)

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp434B.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp435C.tmp			Jump to dropped file

Detected potential crypto function

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_022B25D8	0_2_022B25D8
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_022BDC74	0_2_022BDC74
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B367D8	0_2_05B367D8
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B3A3D8	0_2_05B3A3D8
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B33F50	0_2_05B33F50
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B36FF3	0_2_05B36FF3
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B36FF8	0_2_05B36FF8

Sample file is different than original file name gathered from version info

Source: ciKdWsb5h4.exe, 00000000.00000000.1666059017.0000000000076000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpspearing.exe8 vs ciKdWsb5h4.exe
Source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ciKdWsb5h4.exe
Source: ciKdWsb5h4.exe	Binary or memory string: OriginalFilenameUpspearing.exe8 vs ciKdWsb5h4.exe

Uses 32bit PE files

Source: ciKdWsb5h4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.winEXE@1/4@0/1

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B3DFD1 push es; ret	0_2_05B3DFE6
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B3ECF2 push eax; ret	0_2_05B3ED01
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B349AB push FFFFFF8Bh; retf	0_2_05B349AD

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Memory allocated: 23E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Memory allocated: 21F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Users\user\Desktop\ciKdWsb5h4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: ciKdWsb5h4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ciKdWsb5h4.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666032685.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ciKdWsb5h4.exe PID: 7632, type: MEMORYSTR

ID:	1431450
Product:	CloudBasic
Start time:	05:57:05
Start date:	25.04.2024
Sample:	ciKdWsb5h4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bd129b2710c1f8fa9aa98dcc35c5b6b9
SHA1:	572034f781967e768d6d9b49de62217561538a45
SHA256:	62c2c1f7335ed8b0a2120b1cf42a4c55cae1869a0245bef10d51de037e0d7ddf
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Desktop\Google Chrome.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:32 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide	93296231F661D8ACBE442350CB2E343E	6A5691873D199EFEB60BE972B68300C348B44C6D	5C3ED758D68B99F99C8F9E79D74B30B999E0F39C449BC91A2EDF744A65A364D2
C:\Users\user\AppData\Local\Temp\Tmp434B.tmp	data	1420D30F964EAC2C85B2CCFE968EEBCE	BDF9A6876578A3E38079C4F8CF5D6C79687AD750	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
C:\Users\user\AppData\Local\Temp\Tmp435C.tmp	data	1420D30F964EAC2C85B2CCFE968EEBCE	BDF9A6876578A3E38079C4F8CF5D6C79687AD750	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06	data	373B17759310F94FA7E099063BB941CC	0C173BDBC01BBD66B37228664E059A77B21EAFC7	A176EA03BBCF5AF7352D45CAEC94EE1967A0613D2DF6853D6BA7390D238B0C86

Windows Analysis Report ciKdWsb5h4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
ciKdWsb5h4.exe

Malware Threat Intel
Provided by