Edit tour

Windows Analysis Report
stage-0.bin.exe

Overview

General Information

Sample name:	stage-0.bin.exe
Analysis ID:	1551387
MD5:	8b7d2590f1fb0dfd81b796f4b4723542
SHA1:	b492d614f7749220b934127cdfc737426797890c
SHA256:	b0968bdb6a175a38ec05efcf605ed61411d16e63e692bc0d7b8f1f747ce3b2e5
Tags:	exeGCleanerpackeruser-plebourhis
Infos:

Detection

GCleaner

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GCleaner

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

stage-0.bin.exe (PID: 1484 cmdline: "C:\Users\user\Desktop\stage-0.bin.exe" MD5: 8B7D2590F1FB0DFD81B796F4B4723542)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Malware Configuration

Threatname: GCleaner

{"C2 addresses": ["185.172.128.90", "5.42.65.115"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3375674668.00000000007BC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1398:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3375447042.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.2129643395.0000000000740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.stage-0.bin.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.3.stage-0.bin.exe.740000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.2.stage-0.bin.exe.710e67.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.3.stage-0.bin.exe.740000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.2.stage-0.bin.exe.710e67.1.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.2.stage-0.bin.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
Click to see the 1 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:35:27.732600+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.6	49758	TCP
2024-11-07T17:35:55.246016+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.6	53298	TCP

ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:35:05.807851+0100	2856233	1	A Network Trojan was detected	192.168.2.6	53308	185.172.128.90	80	TCP
2024-11-07T17:35:19.807581+0100	2856233	1	A Network Trojan was detected	192.168.2.6	49709	185.172.128.90	80	TCP
2024-11-07T17:35:33.312240+0100	2856233	1	A Network Trojan was detected	192.168.2.6	49752	185.172.128.90	80	TCP
2024-11-07T17:35:46.820698+0100	2856233	1	A Network Trojan was detected	192.168.2.6	49813	185.172.128.90	80	TCP
2024-11-07T17:36:00.443027+0100	2856233	1	A Network Trojan was detected	192.168.2.6	49828	185.172.128.90	80	TCP
2024-11-07T17:36:13.937631+0100	2856233	1	A Network Trojan was detected	192.168.2.6	53300	185.172.128.90	80	TCP
2024-11-07T17:36:27.445639+0100	2856233	1	A Network Trojan was detected	192.168.2.6	53301	185.172.128.90	80	TCP
2024-11-07T17:36:40.958410+0100	2856233	1	A Network Trojan was detected	192.168.2.6	53304	185.172.128.90	80	TCP
2024-11-07T17:36:54.449681+0100	2856233	1	A Network Trojan was detected	192.168.2.6	53305	185.172.128.90	80	TCP
2024-11-07T17:37:07.954255+0100	2856233	1	A Network Trojan was detected	192.168.2.6	53307	185.172.128.90	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: stage-0.bin.exe

Avira: detected

Found malware configuration

Source: 0.2.stage-0.bin.exe.400000.0.unpack

Malware Configuration Extractor: GCleaner {"C2 addresses": ["185.172.128.90", "5.42.65.115"]}

Multi AV Scanner detection for submitted file

Source: stage-0.bin.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: stage-0.bin.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\stage-0.bin.exe

Unpacked PE file: 0.2.stage-0.bin.exe.400000.0.unpack

Source: stage-0.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\stage-0.bin.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:

Binary string: C:\giroza\gok\didamufufenuse-kusoj.pdb source: stage-0.bin.exe

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00415802 FindFirstFileExW,		0_2_00415802
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00725A69 FindFirstFileExW,		0_2_00725A69

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:49709 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:49752 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:49813 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:49828 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:53307 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:53300 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:53305 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:53301 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:53304 -> 185.172.128.90:80
Source: Network traffic	Suricata IDS: 2856233 - Severity 1 - ETPRO MALWARE Win32/Unknown Loader Related Activity (GET) : 192.168.2.6:53308 -> 185.172.128.90:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 185.172.128.90
Source: Malware configuration extractor	IPs: 5.42.65.115

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 5.42.65.115 5.42.65.115

Source: Joe Sandbox View	ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Source: Joe Sandbox View	ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:53298
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49758

Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache

Source: stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=two
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=two8
Source: stage-0.bin.exe, 00000000.00000002.3375693312.000000000085C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=two;
Source: stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoB
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoD
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoV
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoZ
Source: stage-0.bin.exe, 00000000.00000002.3375693312.000000000085C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoc
Source: stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoj
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twol
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twop
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=twoz
Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=one&s=two~

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3375674668.00000000007BC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00404610	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00409810	0_2_00409810
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00418101	0_2_00418101
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00413C09	0_2_00413C09
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00413414	0_2_00413414
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00421DEE	0_2_00421DEE
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00714877	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00719A77	0_2_00719A77
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00728368	0_2_00728368
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0072367B	0_2_0072367B

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: String function: 00718C77 appears 38 times
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: String function: 00408A10 appears 38 times

Source: stage-0.bin.exe, 00000000.00000000.2118666511.0000000000448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWonder4 vs stage-0.bin.exe
Source: stage-0.bin.exe	Binary or memory string: OriginalFilenameWonder4 vs stage-0.bin.exe

Source: stage-0.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.3375674668.00000000007BC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: stage-0.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/2

Source: C:\Users\user\Desktop\stage-0.bin.exe

Code function: 0_2_007BD3C6 CreateToolhelp32Snapshot,Module32First,

0_2_007BD3C6

Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: `a}{	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: >p@	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: 6p@	0_2_00404610
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: `a}{	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: NOSUB	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: 4zB	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: yB	0_2_00714877
Source: C:\Users\user\Desktop\stage-0.bin.exe	Command line argument: lyB	0_2_00714877

Source: stage-0.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\stage-0.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stage-0.bin.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage-0.bin.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\stage-0.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\stage-0.bin.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: stage-0.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\giroza\gok\didamufufenuse-kusoj.pdb source: stage-0.bin.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\stage-0.bin.exe

Unpacked PE file: 0.2.stage-0.bin.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\stage-0.bin.exe

Unpacked PE file: 0.2.stage-0.bin.exe.400000.0.unpack

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0040852E push ecx; ret	0_2_00408541
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007241CF push esp; retf	0_2_007241D7
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0072C674 push edi; retf	0_2_0072C678
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0072C6C5 push es; retf	0_2_0072C6C9
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007247CD push esp; retf	0_2_007247CE
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00718795 push ecx; ret	0_2_007187A8
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007C2160 push ecx; ret	0_2_007C21A8
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007BE14E pushad ; retf	0_2_007BE165
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007C2145 push ecx; ret	0_2_007C21A8
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007C21A9 push ecx; ret	0_2_007C21A8
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007BFAB8 push 4AE86760h; ret	0_2_007BFABE
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007C03DE push eax; iretd	0_2_007C03E7
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007C043E pushad ; ret	0_2_007C0442
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007BF5D5 push 00000000h; ret	0_2_007BF5E3
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007BF5A8 push ecx; ret	0_2_007BF5A9

Source: stage-0.bin.exe

Static PE information: section name: .text entropy: 7.538305971867237

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\stage-0.bin.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-25746

Source: C:\Users\user\Desktop\stage-0.bin.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\stage-0.bin.exe TID: 1812

Thread sleep time: -45000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\stage-0.bin.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00415802 FindFirstFileExW,		0_2_00415802
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00725A69 FindFirstFileExW,		0_2_00725A69

Source: stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, stage-0.bin.exe, 00000000.00000002.3375693312.0000000000871000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\stage-0.bin.exe

Code function: 0_2_0040C12B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0040C12B

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00411142 mov eax, dword ptr fs:[00000030h]	0_2_00411142
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0040C631 mov eax, dword ptr fs:[00000030h]	0_2_0040C631
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0071C898 mov eax, dword ptr fs:[00000030h]	0_2_0071C898
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0071092B mov eax, dword ptr fs:[00000030h]	0_2_0071092B
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007213A9 mov eax, dword ptr fs:[00000030h]	0_2_007213A9
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00710D90 mov eax, dword ptr fs:[00000030h]	0_2_00710D90
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_007BCCA3 push dword ptr fs:[00000030h]	0_2_007BCCA3

Source: C:\Users\user\Desktop\stage-0.bin.exe

Code function: 0_2_00416A3F GetProcessHeap,

0_2_00416A3F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0040C12B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040C12B
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00407C46 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00407C46
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00408625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408625
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_004087B9 SetUnhandledExceptionFilter,	0_2_004087B9
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0071888C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0071888C
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00718A20 SetUnhandledExceptionFilter,	0_2_00718A20
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_0071C392 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0071C392
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: 0_2_00717EAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00717EAD

Source: C:\Users\user\Desktop\stage-0.bin.exe

Code function: 0_2_00408823 cpuid

0_2_00408823

Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_004188F2
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_0041893D
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_004189D8
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_00411252
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00418A63
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,	0_2_00418CB6
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00418DDC
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00418650
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,	0_2_00418EE2
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,	0_2_00411774
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00418FB1
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00729043
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_007288B7
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,	0_2_00729149
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,	0_2_007219DB
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00729218
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_00728B59
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_00728BA4
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_00728C3F
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00728CCA
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: EnumSystemLocalesW,	0_2_007214B9
Source: C:\Users\user\Desktop\stage-0.bin.exe	Code function: GetLocaleInfoW,	0_2_00728F1D

Source: C:\Users\user\Desktop\stage-0.bin.exe

Code function: 0_2_0040C9D1 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0040C9D1

Stealing of Sensitive Information

Yara detected GCleaner

Source: Yara match	File source: 0.2.stage-0.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.stage-0.bin.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stage-0.bin.exe.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.stage-0.bin.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stage-0.bin.exe.710e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stage-0.bin.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3375447042.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2129643395.0000000000740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected GCleaner

Source: Yara match	File source: 0.2.stage-0.bin.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.stage-0.bin.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stage-0.bin.exe.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.stage-0.bin.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stage-0.bin.exe.710e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stage-0.bin.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3375447042.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2129643395.0000000000740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
stage-0.bin.exe	79%	ReversingLabs	Win32.Trojan.SmokeLoader
stage-0.bin.exe	100%	Avira	HEUR/AGEN.1312686
stage-0.bin.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.172.128.90/cpa/ping.php?substr=one&s=twoV	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=two8	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twoZ	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=two	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=two;	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twoD	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=two~	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twop	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twol	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twoc	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twoj	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=twoB	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.90/cpa/ping.php?substr=one&s=two	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.172.128.90/cpa/ping.php?substr=one&s=twoV	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=two8	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twoZ	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twoz	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=two;	stage-0.bin.exe, 00000000.00000002.3375693312.000000000085C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=two~	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twoB	stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twoc	stage-0.bin.exe, 00000000.00000002.3375693312.000000000085C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twoD	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twoj	stage-0.bin.exe, 00000000.00000002.3375693312.000000000088E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twol	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=twop	stage-0.bin.exe, 00000000.00000002.3375980592.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation		50916	NADYMSS-ASRU	true
5.42.65.115	unknown	Russian Federation		39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551387
Start date and time:	2024-11-07 17:34:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	stage-0.bin.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 7 Number of non-executed functions: 145
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: stage-0.bin.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	gcXZMzQnNJ.exe	Get hash	malicious	GCleaner, Nymaim	Browse	185.172.128.90/cpa/name.php
	LisectAVT_2403002B_111.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab
	LisectAVT_2403002B_301.exe	Get hash	malicious	Bdaejec, GCleaner	Browse	185.172.128.90/cpa/ping.php?substr=one&s=two
	LisectAVT_2403002C_29.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
	LisectAVT_2403002C_30.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
	LisectAVT_2403002C_29.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
	LisectAVT_2403002C_30.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
	LisectAVT_2403002C_40.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
	LisectAVT_2403002C_40.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
	yAdC8RYkuL.exe	Get hash	malicious	Unknown	Browse	185.172.128.90/cpa/ping.php?substr=ten&s=ab&sub=0
5.42.65.115	Pp8XG0Vz4D.exe	Get hash	malicious	GCleaner	Browse	5.42.65.115/advdlc.php
	mxsujj4FZz.exe	Get hash	malicious	GCleaner, RedLine	Browse	5.42.65.115/advdlc.php
	UzMahCzo58.exe	Get hash	malicious	LummaC, GCleaner, LummaC Stealer	Browse	5.42.65.115/advdlc.php
	hkXE3abs6j.exe	Get hash	malicious	GCleaner, RedLine	Browse	5.42.65.115/advdlc.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	yakuza.ppc.elf	Get hash	malicious	Unknown	Browse	5.42.81.47
	1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.15.158.112
	QmFIR949GC.exe	Get hash	malicious	RedLine	Browse	5.42.92.74
	CFYd8cbC6L.exe	Get hash	malicious	RedLine	Browse	5.42.92.74
	AdmalRLZI0.exe	Get hash	malicious	RedLine	Browse	5.42.92.74
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe	Get hash	malicious	Unknown	Browse	5.42.66.119
	b2smJKgMG6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	5.42.92.37
	Payment Advicegpj..exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	Payment Advicegpj..exe	Get hash	malicious	Unknown	Browse	5.42.94.169
	SecuriteInfo.com.Win32.Evo-gen.25810.23454.exe	Get hash	malicious	XWorm	Browse	5.42.92.74
NADYMSS-ASRU	SecuriteInfo.com.Win32.DropperX-gen.11998.28068.exe	Get hash	malicious	Atlantida Stealer	Browse	185.172.128.95
	SecuriteInfo.com.Trojan.DownLoader46.50284.31233.3388.exe	Get hash	malicious	Atlantida Stealer	Browse	185.172.128.95
	gcXZMzQnNJ.exe	Get hash	malicious	GCleaner, Nymaim	Browse	185.172.128.90
	7NtKYH4Ejx.exe	Get hash	malicious	Nymaim	Browse	185.172.128.90
	7NtKYH4Ejx.exe	Get hash	malicious	Nymaim	Browse	185.172.128.90
	3tSeYcCHhT.exe	Get hash	malicious	Atlantida Stealer, PureLog Stealer	Browse	185.172.128.95
	LisectAVT_2403002A_152.exe	Get hash	malicious	Unknown	Browse	185.172.128.87
	LisectAVT_2403002A_206.exe	Get hash	malicious	Unknown	Browse	185.172.128.87
	LisectAVT_2403002B_111.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.187
	LisectAVT_2403002B_301.exe	Get hash	malicious	Bdaejec, GCleaner	Browse	185.172.128.90

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.570413348027663
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	stage-0.bin.exe
File size:	343'552 bytes
MD5:	8b7d2590f1fb0dfd81b796f4b4723542
SHA1:	b492d614f7749220b934127cdfc737426797890c
SHA256:	b0968bdb6a175a38ec05efcf605ed61411d16e63e692bc0d7b8f1f747ce3b2e5
SHA512:	5381413edddf5b7ed746fccf00560e0e326cf499b2149c2fe7fadca6511a6008d9ab6521c1bad1ab74c53765c27eed9c27a80879395597d22e2071b98dfd8f38
SSDEEP:	3072:M4WBLuupGWmJT8kk4nhCvjzgQdeTDKnBmnMPbdyqJD2/OX3kaVw5OvRQ46+a:F4LgWC9k8Cvjz8TDKnBPb0wKWfvRQ4V
TLSH:	EA745C03B2E1BD51E9278B729E2FC6F8366EF5608E59776E2218EE1F14B01B1C163711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...y..b...................

File Icon


Icon Hash:	7141410943415053

Static PE Info

General

Entrypoint:	0x4025af
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F8C979 [Sun Aug 14 10:07:53 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b585adb193cc73047fae4142a994b352

Entrypoint Preview

Instruction
call 00007F94EC52739Dh
jmp 00007F94EC522F2Eh
int3
int3
int3
int3
int3
int3
int3
mov edx, dword ptr [esp+0Ch]
mov ecx, dword ptr [esp+04h]
test edx, edx
je 00007F94EC52311Bh
xor eax, eax
mov al, byte ptr [esp+08h]
test al, al
jne 00007F94EC5230C8h
cmp edx, 00000100h
jc 00007F94EC5230C0h
cmp dword ptr [00447548h], 00000000h
je 00007F94EC5230B7h
jmp 00007F94EC527452h
push edi
mov edi, ecx
cmp edx, 04h
jc 00007F94EC5230E3h
neg ecx
and ecx, 03h
je 00007F94EC5230BEh
sub edx, ecx
mov byte ptr [edi], al
add edi, 01h
sub ecx, 01h
jne 00007F94EC5230A8h
mov ecx, eax
shl eax, 08h
add eax, ecx
mov ecx, eax
shl eax, 10h
add eax, ecx
mov ecx, edx
and edx, 03h
shr ecx, 02h
je 00007F94EC5230B8h
rep stosd
test edx, edx
je 00007F94EC5230BCh
mov byte ptr [edi], al
add edi, 01h
sub edx, 01h
jne 00007F94EC5230A8h
mov eax, dword ptr [esp+08h]
pop edi
ret
mov eax, dword ptr [esp+04h]
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [0043A200h], eax
mov dword ptr [0043A204h], eax
mov dword ptr [0043A208h], eax
mov dword ptr [0043A20Ch], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [004354ACh]
push esi
cmp dword ptr [eax+04h], edx
je 00007F94EC5230C1h
mov esi, ecx
imul esi, esi, 0Ch
add esi, dword ptr [ebp+08h]
add eax, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3437c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x1a8c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2f1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x33c70	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x33c28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2f000	0x194	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2de76	0x2e000	f6f6f9f0fa8f0eae5d4b4cfded21a7a5	False	0.7982814622961957	data	7.538305971867237	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2f000	0x5cba	0x5e00	48759bc42397773d366f3362ad6507bc	False	0.4256150265957447	data	5.810835322343505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x12564	0x5200	7096d9c211f4e1382ddd6c61e3f5e85b	False	0.10642149390243902	data	1.2364473648857537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x48000	0x1a8c0	0x1aa00	3b00dce7157587a18db38007d1d3df12	False	0.39469630281690143	data	4.658179050690975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x5d078	0xe	data			1.5714285714285714
LAW	0x5b1f8	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Romanian	Romania	0.5890800879803338
RT_CURSOR	0x5d088	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x5df30	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x5e7d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x5ed70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x5fc18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x604c0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_CURSOR	0x60a58	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x60b88	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_ICON	0x489c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.43390191897654584
RT_ICON	0x49868	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5505415162454874
RT_ICON	0x4a110	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.5852534562211982
RT_ICON	0x4a7d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.611271676300578
RT_ICON	0x4ad40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4446058091286307
RT_ICON	0x4d2e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4950750469043152
RT_ICON	0x4e390	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.524822695035461
RT_ICON	0x4e860	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.5170575692963753
RT_ICON	0x4f708	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.5103790613718412
RT_ICON	0x4ffb0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.45794930875576034
RT_ICON	0x50678	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.47398843930635837
RT_ICON	0x50be0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Romanian	Romania	0.2816390041493776
RT_ICON	0x53188	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Romanian	Romania	0.3074577861163227
RT_ICON	0x54230	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Romanian	Romania	0.33647540983606555
RT_ICON	0x54bb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Romanian	Romania	0.37322695035460995
RT_ICON	0x55098	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.494136460554371
RT_ICON	0x55f40	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.4693140794223827
RT_ICON	0x567e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.43352601156069365
RT_ICON	0x56d50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.27634854771784234
RT_ICON	0x592f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.2861163227016886
RT_ICON	0x5a3a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.30204918032786887
RT_ICON	0x5ad28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.33599290780141844
RT_STRING	0x60e50	0x456	data	Romanian	Romania	0.4594594594594595
RT_STRING	0x612a8	0x512	data	Romanian	Romania	0.4406779661016949
RT_STRING	0x617c0	0x414	data	Romanian	Romania	0.45977011494252873
RT_STRING	0x61bd8	0x598	data	Romanian	Romania	0.44273743016759776
RT_STRING	0x62170	0x4aa	data	Romanian	Romania	0.457286432160804
RT_STRING	0x62620	0x29c	data	Romanian	Romania	0.4865269461077844
RT_ACCELERATOR	0x5d030	0x48	data	Romanian	Romania	0.8472222222222222
RT_GROUP_CURSOR	0x5ed40	0x30	data			0.9375
RT_GROUP_CURSOR	0x60a28	0x30	data			0.9375
RT_GROUP_CURSOR	0x60c38	0x22	data			1.0588235294117647
RT_GROUP_ICON	0x4e7f8	0x68	data	Romanian	Romania	0.6826923076923077
RT_GROUP_ICON	0x55020	0x76	data	Romanian	Romania	0.6779661016949152
RT_GROUP_ICON	0x5b190	0x68	data	Romanian	Romania	0.7115384615384616
RT_VERSION	0x60c60	0x1f0	MS Windows COFF PowerPC object file			0.5362903225806451

Imports

DLL	Import
KERNEL32.dll	InterlockedIncrement, GetLogicalDriveStringsW, AddConsoleAliasW, GetModuleHandleW, GetTickCount, FindNextVolumeMountPointA, TlsSetValue, LoadLibraryW, SetCommConfig, AssignProcessToJobObject, WriteConsoleW, GetModuleFileNameW, CreateJobObjectA, InterlockedExchange, GetLastError, GetProcAddress, VirtualAlloc, SetVolumeLabelW, SetComputerNameExA, OpenMutexA, OpenWaitableTimerW, LocalAlloc, MoveFileA, GetNumberFormatW, RemoveDirectoryW, GlobalFindAtomW, EnumResourceTypesW, GetConsoleTitleW, VirtualProtect, GetFileAttributesExW, GetCurrentProcessId, UnregisterWaitEx, DeleteFileA, GetVolumeInformationW, LoadLibraryA, GetSystemDefaultLangID, FlushFileBuffers, UnhandledExceptionFilter, SetUnhandledExceptionFilter, Sleep, ExitProcess, GetStartupInfoW, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, HeapFree, TlsGetValue, TlsAlloc, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, RaiseException, HeapAlloc, HeapReAlloc, HeapSize, RtlUnwind, GetLocaleInfoA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CreateFileA, CloseHandle
USER32.dll	GetMenu
GDI32.dll	GetCharABCWidthsFloatW
WINHTTP.dll	WinHttpSetOption

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T17:35:05.807851+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	53308	185.172.128.90	80	TCP
2024-11-07T17:35:19.807581+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	49709	185.172.128.90	80	TCP
2024-11-07T17:35:27.732600+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.6	49758	TCP
2024-11-07T17:35:33.312240+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	49752	185.172.128.90	80	TCP
2024-11-07T17:35:46.820698+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	49813	185.172.128.90	80	TCP
2024-11-07T17:35:55.246016+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.6	53298	TCP
2024-11-07T17:36:00.443027+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	49828	185.172.128.90	80	TCP
2024-11-07T17:36:13.937631+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	53300	185.172.128.90	80	TCP
2024-11-07T17:36:27.445639+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	53301	185.172.128.90	80	TCP
2024-11-07T17:36:40.958410+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	53304	185.172.128.90	80	TCP
2024-11-07T17:36:54.449681+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	53305	185.172.128.90	80	TCP
2024-11-07T17:37:07.954255+0100	2856233	ETPRO MALWARE Win32/Unknown Loader Related Activity (GET)	1	192.168.2.6	53307	185.172.128.90	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 17:35:11.319230080 CET	49709	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:11.324541092 CET	80	49709	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:11.324861050 CET	49709	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:11.325412989 CET	49709	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:11.330576897 CET	80	49709	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:19.807385921 CET	80	49709	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:19.807580948 CET	49709	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:19.808077097 CET	49709	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:19.813244104 CET	80	49709	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:24.823981047 CET	49752	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:24.828850031 CET	80	49752	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:24.828950882 CET	49752	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:24.829231024 CET	49752	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:24.834613085 CET	80	49752	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:33.312139034 CET	80	49752	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:33.312239885 CET	49752	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:33.318391085 CET	49752	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:33.323286057 CET	80	49752	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:38.324135065 CET	49813	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:38.329207897 CET	80	49813	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:38.329376936 CET	49813	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:38.329468966 CET	49813	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:38.334393978 CET	80	49813	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:46.820544958 CET	80	49813	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:46.820698023 CET	49813	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:46.820970058 CET	49813	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:46.825894117 CET	80	49813	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:51.926984072 CET	49828	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:51.931906939 CET	80	49828	185.172.128.90	192.168.2.6
Nov 7, 2024 17:35:51.931972027 CET	49828	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:51.938896894 CET	49828	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:35:51.943846941 CET	80	49828	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:00.442939043 CET	80	49828	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:00.443027020 CET	49828	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:00.443121910 CET	49828	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:00.448411942 CET	80	49828	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:05.449366093 CET	53300	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:05.454289913 CET	80	53300	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:05.454400063 CET	53300	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:05.454579115 CET	53300	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:05.459671021 CET	80	53300	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:13.937483072 CET	80	53300	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:13.937630892 CET	53300	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:13.944804907 CET	53300	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:13.949754953 CET	80	53300	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:18.949109077 CET	53301	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:18.954336882 CET	80	53301	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:18.954425097 CET	53301	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:18.954583883 CET	53301	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:18.959824085 CET	80	53301	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:27.445565939 CET	80	53301	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:27.445638895 CET	53301	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:27.445775986 CET	53301	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:27.450790882 CET	80	53301	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:32.450565100 CET	53304	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:32.455548048 CET	80	53304	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:32.455765009 CET	53304	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:32.455765009 CET	53304	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:32.460696936 CET	80	53304	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:40.958333015 CET	80	53304	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:40.958410025 CET	53304	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:40.958492041 CET	53304	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:40.963320017 CET	80	53304	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:45.964895964 CET	53305	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:45.969995975 CET	80	53305	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:45.970105886 CET	53305	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:45.971509933 CET	53305	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:45.976314068 CET	80	53305	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:54.449565887 CET	80	53305	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:54.449681044 CET	53305	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:54.449759960 CET	53305	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:54.457983971 CET	80	53305	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:59.464951992 CET	53307	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:59.469940901 CET	80	53307	185.172.128.90	192.168.2.6
Nov 7, 2024 17:36:59.470036030 CET	53307	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:59.470169067 CET	53307	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:36:59.475034952 CET	80	53307	185.172.128.90	192.168.2.6
Nov 7, 2024 17:37:07.954180002 CET	80	53307	185.172.128.90	192.168.2.6
Nov 7, 2024 17:37:07.954255104 CET	53307	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:37:07.954330921 CET	53307	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:37:07.959142923 CET	80	53307	185.172.128.90	192.168.2.6
Nov 7, 2024 17:37:12.966455936 CET	53308	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:37:12.971438885 CET	80	53308	185.172.128.90	192.168.2.6
Nov 7, 2024 17:37:12.973639011 CET	53308	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:37:12.973800898 CET	53308	80	192.168.2.6	185.172.128.90
Nov 7, 2024 17:37:12.978746891 CET	80	53308	185.172.128.90	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 17:35:53.066246033 CET	53	52667	162.159.36.2	192.168.2.6
Nov 7, 2024 17:35:53.728171110 CET	53	49777	1.1.1.1	192.168.2.6

HTTP Request Dependency Graph

185.172.128.90

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:35:11.325412989 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49752	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:35:24.829231024 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49813	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:35:38.329468966 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49828	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:35:51.938896894 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	53300	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:36:05.454579115 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	53301	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:36:18.954583883 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	53304	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:36:32.455765009 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	53305	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:36:45.971509933 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	53307	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:36:59.470169067 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	53308	185.172.128.90	80	1484	C:\Users\user\Desktop\stage-0.bin.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:37:12.973800898 CET	411	OUT	GET /cpa/ping.php?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.172.128.90 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	11:35:08
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\stage-0.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\stage-0.bin.exe"
Imagebase:	0x400000
File size:	343'552 bytes
MD5 hash:	8B7D2590F1FB0DFD81B796F4B4723542
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3375674668.00000000007BC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GCleaner, Description: Yara detected GCleaner, Source: 00000000.00000002.3375447042.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GCleaner, Description: Yara detected GCleaner, Source: 00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3375598842.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GCleaner, Description: Yara detected GCleaner, Source: 00000000.00000003.2129643395.0000000000740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report stage-0.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: GCleaner

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
stage-0.bin.exe