Windows Analysis Report
file4232024.exe

Overview

General Information

Sample name: file4232024.exe
Analysis ID: 1431780
MD5: 982f1903db530be43b0d0fc4ce976e8e
SHA1: e2a9534e65f2ae33df71b136cfef600eab4f3627
SHA256: 0c0d782dac4f8afdf63e33666febfe1aea6605c1a64ae532a8b84d2d315b176b
Tags: exe
Infos:

Detection

DarkCloud
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected DarkCloud
Yara detected Generic Dropper
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
DarkCloud Stealer Stealer is written in Visual Basic. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file4232024.exe ReversingLabs: Detection: 63%
Source: file4232024.exe Virustotal: Detection: 47% Perma Link
Machine Learning detection for sample
Source: file4232024.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Cookies
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: \Default\Login Data
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: \Login Data
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: //setting[@name='Password']/value
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Password :
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: SMTP Email Address
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: NNTP Email Address
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Email
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: HTTPMail User Name
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: HTTPMail Server
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Password
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^389[0-9]{11}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^3[47][0-9]{13}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(6541|6556)[0-9]{12}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^63[7-9][0-9]{13}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^9[0-9]{15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Mastercard
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(62[0-9]{14,17})$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Visa Card
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Visa Master Card
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: \logins.json
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: \signons.sqlite
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Foxmail.exe
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: mail\
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: \Accounts\Account.rec0
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: \AccCfg\Accounts.tdat
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: EnableSignature
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: Application : FoxMail
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: encryptedUsername
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: logins
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: encryptedPassword
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: office.tony39@mail.ru
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: mail.vinoterra.ru
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
Uses 32bit PE files
Source: file4232024.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: W.pdb4 source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00644696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00644696
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064C93C FindFirstFileW,FindClose, 0_2_0064C93C
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0064C9C7
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0064F200
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0064F35D
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0064F65E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00643A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00643A2B
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00643D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00643D4E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0064BF27
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_006525E2
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0065425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0065425A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00654458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00654458
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0065425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0065425A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00640219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00640219
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0066CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0066CDAC

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\file4232024.exe Code function: This is a third-party compiled AutoIt script. 0_2_005E3B4C
Source: file4232024.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file4232024.exe, 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1f6a5f1a-f
Source: file4232024.exe, 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_fc1f5706-e
Source: file4232024.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1fcc7855-b
Source: file4232024.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_57878b67-3
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00644021: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00644021
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00638858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00638858
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_0064545F
Detected potential crypto function
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005EE800 0_2_005EE800
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060DBB5 0_2_0060DBB5
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0066804A 0_2_0066804A
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005EE060 0_2_005EE060
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F4140 0_2_005F4140
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00602405 0_2_00602405
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00616522 0_2_00616522
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00660665 0_2_00660665
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0061267E 0_2_0061267E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F6843 0_2_005F6843
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060283A 0_2_0060283A
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006189DF 0_2_006189DF
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F8A0E 0_2_005F8A0E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00660AE2 0_2_00660AE2
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00616A94 0_2_00616A94
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0063EB07 0_2_0063EB07
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00648B13 0_2_00648B13
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060CD61 0_2_0060CD61
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00617006 0_2_00617006
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F710E 0_2_005F710E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F3190 0_2_005F3190
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E1287 0_2_005E1287
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006033C7 0_2_006033C7
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060F419 0_2_0060F419
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006016C4 0_2_006016C4
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F5680 0_2_005F5680
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005F58C0 0_2_005F58C0
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006078D3 0_2_006078D3
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00601BB8 0_2_00601BB8
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00619D05 0_2_00619D05
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005EFE40 0_2_005EFE40
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060BFE6 0_2_0060BFE6
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00601FD0 0_2_00601FD0
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_01FD3630 0_2_01FD3630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00426B60 2_2_00426B60
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file4232024.exe Code function: String function: 00600D27 appears 70 times
Source: C:\Users\user\Desktop\file4232024.exe Code function: String function: 00608B40 appears 42 times
Source: C:\Users\user\Desktop\file4232024.exe Code function: String function: 005E7F41 appears 35 times
Sample file is different than original file name gathered from version info
Source: file4232024.exe, 00000000.00000003.2025112873.0000000003DD3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs file4232024.exe
Source: file4232024.exe, 00000000.00000003.2024555364.0000000003F7D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs file4232024.exe
Uses 32bit PE files
Source: file4232024.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: svchost.exe Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: svchost.exe Binary or memory string: *\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: x;@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: file4232024.exe, 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: ,@`C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@4/6@0/0
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064A2D5 GetLastError,FormatMessageW, 0_2_0064A2D5
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00638713 AdjustTokenPrivileges,CloseHandle, 0_2_00638713
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00638CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00638CC3
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_0064B59E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0065F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0065F121
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064C602 CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0064C602
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_005E4FE9
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file4232024.exe File created: C:\Users\user\AppData\Local\Temp\aut25DE.tmp Jump to behavior
Source: file4232024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file4232024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: svchost.exe Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: svchost.exe, 00000002.00000003.2341453055.0000000003250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341919743.0000000003250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341065025.000000000324C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341610473.000000000324B000.00000004.00000020.00020000.00000000.sdmp, LogfireblendeuGDOCADegvvshJYgdfgGWltXxnlOnThLThggfsEYSRpalmitic.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file4232024.exe ReversingLabs: Detection: 63%
Source: file4232024.exe Virustotal: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\file4232024.exe "C:\Users\user\Desktop\file4232024.exe"
Source: C:\Users\user\Desktop\file4232024.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file4232024.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe" Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file4232024.exe Static file information: File size 1204736 > 1048576
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file4232024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: W.pdb4 source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: file4232024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file4232024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file4232024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file4232024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file4232024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0065C304 LoadLibraryA,GetProcAddress, 0_2_0065C304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00608B85 push ecx; ret 0_2_00608B98
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_005E4A35
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_006655FD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_006033C7
Source: C:\Users\user\Desktop\file4232024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\file4232024.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file4232024.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 9.1 %
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00644696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00644696
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064C93C FindFirstFileW,FindClose, 0_2_0064C93C
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0064C9C7
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0064F200
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0064F35D
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0064F65E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00643A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00643A2B
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00643D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00643D4E
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0064BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0064BF27
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_005E4AFE
Source: WebData.2.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WebData.2.dr Binary or memory string: discord.comVMware20,11696428655f
Source: WebData.2.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WebData.2.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WebData.2.dr Binary or memory string: global block list test formVMware20,11696428655
Source: WebData.2.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: WebData.2.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WebData.2.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WebData.2.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WebData.2.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: WebData.2.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WebData.2.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WebData.2.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WebData.2.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WebData.2.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WebData.2.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WebData.2.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WebData.2.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WebData.2.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WebData.2.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: WebData.2.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WebData.2.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WebData.2.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WebData.2.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WebData.2.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WebData.2.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WebData.2.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: WebData.2.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: WebData.2.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WebData.2.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WebData.2.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file4232024.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006541FD BlockInput, 0_2_006541FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_005E3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00615CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00615CCC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0065C304 LoadLibraryA,GetProcAddress, 0_2_0065C304
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_01FD3520 mov eax, dword ptr fs:[00000030h] 0_2_01FD3520
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_01FD34C0 mov eax, dword ptr fs:[00000030h] 0_2_01FD34C0
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_01FD1ED0 mov eax, dword ptr fs:[00000030h] 0_2_01FD1ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_006381F7
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060A364 SetUnhandledExceptionFilter, 0_2_0060A364
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0060A395

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file4232024.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file4232024.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FEE008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00638C93 LogonUserW, 0_2_00638C93
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_005E3B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_005E4A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00644EF5 mouse_event, 0_2_00644EF5
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file4232024.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe" Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_006381F7
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00644C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00644C03
Source: file4232024.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file4232024.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0060886B cpuid 0_2_0060886B
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_006150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_006150D7
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00622230 GetUserNameW, 0_2_00622230
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_0061418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_0061418A
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_005E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_005E4AFE

Stealing of Sensitive Information
barindex
Yara detected DarkCloud
Source: Yara match File source: 0.2.file4232024.exe.1fe0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file4232024.exe.1fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3060, type: MEMORYSTR
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: file4232024.exe Binary or memory string: WIN_81
Source: file4232024.exe Binary or memory string: WIN_XP
Source: file4232024.exe Binary or memory string: WIN_XPe
Source: file4232024.exe Binary or memory string: WIN_VISTA
Source: file4232024.exe Binary or memory string: WIN_7
Source: file4232024.exe Binary or memory string: WIN_8
Source: file4232024.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected DarkCloud
Source: Yara match File source: 0.2.file4232024.exe.1fe0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file4232024.exe.1fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3060, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00656596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00656596
Source: C:\Users\user\Desktop\file4232024.exe Code function: 0_2_00656A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00656A5A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431780 Sample: file4232024.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 92 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected DarkCloud 2->17 19 Yara detected Generic Dropper 2->19 21 3 other signatures 2->21 7 file4232024.exe 4 2->7         started        process3 signatures4 23 Binary is likely a compiled AutoIt script file 7->23 25 Writes to foreign memory regions 7->25 27 Maps a DLL or memory area into another process 7->27 10 svchost.exe 5 7->10         started        process5 signatures6 29 Tries to harvest and steal browser information (history, passwords, etc) 10->29 31 Writes or reads registry keys via WMI 10->31 13 WmiPrvSE.exe 10->13         started        process7
No contacted IP infos