Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
build.exe

Overview

General Information

Sample name:build.exe
Analysis ID:1472518
MD5:e5fb57e8214483fd395bd431cb3d1c4b
SHA1:60e22fc9e0068c8156462f003760efdcac82766b
SHA256:e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
Tags:exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • build.exe (PID: 1856 cmdline: "C:\Users\user\Desktop\build.exe" MD5: E5FB57E8214483FD395BD431CB3D1C4B)
    • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "45.15.156.127:23000"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: build.exe PID: 1856JoeSecurity_RedLineYara detected RedLine StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.build.exe.12afc24.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.build.exe.12afc24.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.build.exe.12afc24.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.build.exe.12afc24.1.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                  • 0x3806d:$s1: file:///
                  • 0x37fc9:$s2: {11111-22222-10009-11112}
                  • 0x37ffd:$s3: {11111-22222-50001-00000}
                  • 0x3370a:$s4: get_Module
                  • 0x33a89:$s5: Reverse
                  • 0x37282:$s6: BlockCopy
                  • 0x33da5:$s7: ReadByte
                  • 0x3807f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                  0.2.build.exe.12afc24.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: build.exeAvira: detected
                    Found malware configuration
                    Source: build.exe.1856.0.memstrminMalware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:23000"}
                    Multi AV Scanner detection for submitted file
                    Source: build.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                    Machine Learning detection for sample
                    Source: build.exeJoe Sandbox ML: detected
                    Source: build.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: build.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.ServiceModel.pdbsq source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbra source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb7MXP source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb source: build.exe, 00000000.00000002.3248605168.0000000005BEA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: build.exe, 00000000.00000002.3248734324.0000000005C42000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002C6167 FindFirstFileExW,0_2_002C6167

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.15.156.127:23000
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.15.156.127:23000
                    Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                    Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                    Source: unknownDNS traffic detected: query: 183.59.114.20.in-addr.arpa replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: build.exe, 00000000.00000002.3247476169.0000000003502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
                    Source: build.exe, 00000000.00000002.3247476169.0000000003502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                    Source: build.exe, 00000000.00000002.3247476169.0000000003502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
                    Source: build.exe, 00000000.00000002.3247476169.0000000003502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,]q equals www.youtube.com (Youtube)
                    Source: build.exe, 00000000.00000002.3247476169.0000000003502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,]q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                    Source: global trafficDNS traffic detected: DNS query: 183.59.114.20.in-addr.arpa
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/8)
                    Source: build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/
                    Source: build.exe, 00000000.00000002.3247476169.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000365B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000369D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1LR
                    Source: build.exe, 00000000.00000002.3247476169.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000365B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000369D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1Response
                    Source: build.exe, 00000000.00000002.3247476169.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000365B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000369D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2LR
                    Source: build.exe, 00000000.00000002.3247476169.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000365B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000369D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2Response
                    Source: build.exe, 00000000.00000002.3247476169.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000365B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000369D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3LR
                    Source: build.exe, 00000000.00000002.3247476169.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000365B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000354C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.000000000369D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000000.00000002.3247476169.0000000003618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3Response
                    Source: build.exe, 00000000.00000002.3247476169.00000000034C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                    Source: build.exe, 00000000.00000002.3247476169.00000000034C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002C9ABE0_2_002C9ABE
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B2CE00_2_002B2CE0
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002CE5B90_2_002CE5B9
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_05870B980_2_05870B98
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_058709000_2_05870900
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_058709100_2_05870910
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_05870B8B0_2_05870B8B
                    Source: C:\Users\user\Desktop\build.exeCode function: String function: 002B99A0 appears 48 times
                    Source: C:\Users\user\Desktop\build.exeCode function: String function: 002B5D90 appears 45 times
                    Source: build.exe, 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHearths.exe" vs build.exe
                    Source: build.exe, 00000000.00000002.3247016957.00000000015FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs build.exe
                    Source: build.exe, 00000000.00000002.3246788827.0000000001492000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHearths.exe" vs build.exe
                    Source: build.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/0@2/1
                    Source: C:\Users\user\Desktop\build.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
                    Source: build.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\build.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: build.exeReversingLabs: Detection: 71%
                    Source: unknownProcess created: C:\Users\user\Desktop\build.exe "C:\Users\user\Desktop\build.exe"
                    Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\build.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\build.exeSection loaded: mswsock.dllJump to behavior
                    Source: build.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: build.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.ServiceModel.pdbsq source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbra source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb7MXP source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb source: build.exe, 00000000.00000002.3248605168.0000000005BEA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: build.exe, 00000000.00000002.3248734324.0000000005C42000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B2F90 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_002B2F90
                    Source: build.exeStatic PE information: real checksum: 0x89ea0 should be: 0x874be
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B5710 push eax; ret 0_2_002B5C31
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002D1C15 push ecx; ret 0_2_002D1C28
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_0587E0D0 pushad ; iretd 0_2_0587E249
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_0587E242 pushad ; iretd 0_2_0587E249
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csHigh entropy of concatenated method names: 'Deym16AiJU', 'g38PJ8K3c0', 'bxAmNgpIsj', 'e1hmfGryNP', 'lwtmvR4TbI', 'gTTmjxPf2K', 'etPftZtnFF', 'k8lAkyS3d0', 'JTKAaFtTtb', 'ShGAiaNY5l'
                    Source: 0.2.build.exe.12afc24.1.raw.unpack, jtvT30mIe4m7msKUQwZ.csHigh entropy of concatenated method names: 'VkGmG6avNL', 'ioJmo5Cece', 'G4Vmx95Kxx', 's2amJtTEpL', 'xc1mQF3iqc', 'GdGmEOsNfa', 'BKFmbRmVTI', 'Dutm8SOTEe', 'e3Am0acWmO', 'bJjmLl8bTU'
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: build.exe, 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmp, build.exe, 00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                    Source: C:\Users\user\Desktop\build.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\build.exeMemory allocated: 3430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\build.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\build.exeAPI coverage: 8.9 %
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002C6167 FindFirstFileExW,0_2_002C6167
                    Source: build.exe, 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmp, build.exe, 00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                    Source: build.exe, 00000000.00000002.3247016957.0000000001636000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002BFD93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002BFD93
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B2F90 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_002B2F90
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B2F90 mov eax, dword ptr fs:[00000030h]0_2_002B2F90
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002C7D34 GetProcessHeap,0_2_002C7D34
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B992D SetUnhandledExceptionFilter,0_2_002B992D
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B9B5D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002B9B5D
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002BFD93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002BFD93
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B97CE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002B97CE
                    Source: C:\Users\user\Desktop\build.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B95EA cpuid 0_2_002B95EA
                    Source: C:\Users\user\Desktop\build.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_002CA008
                    Source: C:\Users\user\Desktop\build.exeCode function: GetLocaleInfoW,0_2_002CA8A7
                    Source: C:\Users\user\Desktop\build.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_002CA97D
                    Source: C:\Users\user\Desktop\build.exeCode function: EnumSystemLocalesW,0_2_002CA2B4
                    Source: C:\Users\user\Desktop\build.exeCode function: EnumSystemLocalesW,0_2_002CA2FF
                    Source: C:\Users\user\Desktop\build.exeCode function: GetLocaleInfoW,0_2_002C7ADD
                    Source: C:\Users\user\Desktop\build.exeCode function: EnumSystemLocalesW,0_2_002CA39A
                    Source: C:\Users\user\Desktop\build.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_002CA425
                    Source: C:\Users\user\Desktop\build.exeCode function: EnumSystemLocalesW,0_2_002C75B1
                    Source: C:\Users\user\Desktop\build.exeCode function: GetLocaleInfoW,0_2_002CA678
                    Source: C:\Users\user\Desktop\build.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_002CA7A1
                    Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\build.exeCode function: 0_2_002B99E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_002B99E8
                    Source: C:\Users\user\Desktop\build.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: build.exe PID: 1856, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPE

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3246570367.00000000012AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3246740839.0000000001452000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: build.exe PID: 1856, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.12afc24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.build.exe.1450000.2.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Process Injection                    		1
                    Virtualization/Sandbox Evasion                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory121
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Process Injection                    		Security Account Manager1
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets33
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.