Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZIOpctBE0o.exe

Overview

General Information

Sample name:ZIOpctBE0o.exe
renamed because original name is a hash value
Original sample name:de4ed476df7cdbcd737dbd4a8db764cd7d0bca1e6e09748e424645c8a21607d7.exe
Analysis ID:1617317
MD5:06ff127c1db7dd45b7e368d8f4ba48e4
SHA1:b11dcbd6d3e9e33046b6f2e1698c595d4a566c67
SHA256:de4ed476df7cdbcd737dbd4a8db764cd7d0bca1e6e09748e424645c8a21607d7
Tags:exeWHKzW2nruser-JAMESWT_MHT
Infos:

Detection

CredGrabber, Meduza Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZIOpctBE0o.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\ZIOpctBE0o.exe" MD5: 06FF127C1DB7DD45B7E368D8F4BA48E4)
  • cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "45.130.145.152", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "SEO2.0", "links": "", "port": 15666}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
    00000000.00000002.2061379181.0000020AAE5D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
      00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
        00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmpinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
        • 0x114944:$str01: emoji
        • 0x1175d8:$str02: %d-%m-%Y, %H:%M:%S
        • 0x117648:$str03: [UTC
        • 0x117650:$str04: user_name
        • 0x117698:$str05: computer_name
        • 0x117670:$str06: timezone
        • 0x1175a8:$str07: current_path()
        • 0x114908:$str08: [json.exception.
        • 0x12f42c:$str09: GDI32.dll
        • 0x12f69e:$str10: GdipGetImageEncoders
        • 0x12f716:$str10: GdipGetImageEncoders
        • 0x12ecb0:$str11: GetGeoInfoA
        Process Memory Space: ZIOpctBE0o.exe PID: 4712JoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.ZIOpctBE0o.exe.20aae1c0000.0.raw.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
            0.2.ZIOpctBE0o.exe.20aae1c0000.0.raw.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
            • 0x114944:$str01: emoji
            • 0x1175d8:$str02: %d-%m-%Y, %H:%M:%S
            • 0x117648:$str03: [UTC
            • 0x117650:$str04: user_name
            • 0x117698:$str05: computer_name
            • 0x117670:$str06: timezone
            • 0x1175a8:$str07: current_path()
            • 0x114908:$str08: [json.exception.
            • 0x12f42c:$str09: GDI32.dll
            • 0x12f69e:$str10: GdipGetImageEncoders
            • 0x12f716:$str10: GdipGetImageEncoders
            • 0x12ecb0:$str11: GetGeoInfoA
            0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
              0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
              • 0x113144:$str01: emoji
              • 0x115dd8:$str02: %d-%m-%Y, %H:%M:%S
              • 0x115e48:$str03: [UTC
              • 0x115e50:$str04: user_name
              • 0x115e98:$str05: computer_name
              • 0x115e70:$str06: timezone
              • 0x115da8:$str07: current_path()
              • 0x113108:$str08: [json.exception.
              • 0x12dc2c:$str09: GDI32.dll
              • 0x12de9e:$str10: GdipGetImageEncoders
              • 0x12df16:$str10: GdipGetImageEncoders
              • 0x12d4b0:$str11: GetGeoInfoA

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-17T18:30:13.148487+010020494411A Network Trojan was detected192.168.2.54970445.130.145.15215666TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpackMalware Configuration Extractor: Meduza Stealer {"C2 url": "45.130.145.152", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "SEO2.0", "links": "", "port": 15666}
              Multi AV Scanner detection for submitted file
              Source: ZIOpctBE0o.exeReversingLabs: Detection: 75%
              Source: ZIOpctBE0o.exeVirustotal: Detection: 72%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE237BA0 CryptUnprotectData,LocalFree,0_2_0000020AAE237BA0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE238020 BCryptDecrypt,BCryptDecrypt,0_2_0000020AAE238020
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE237EC0 CryptProtectData,LocalFree,0_2_0000020AAE237EC0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F7C20 CryptUnprotectData,LocalFree,0_2_0000020AAE1F7C20
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F3A30 BCryptDestroyKey,0_2_0000020AAE1F3A30
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2383C0 BCryptCloseAlgorithmProvider,0_2_0000020AAE2383C0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE238440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,Concurrency::cancel_current_task,0_2_0000020AAE238440
              Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: ZIOpctBE0o.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27B500 FindClose,FindFirstFileExW,GetLastError,0_2_0000020AAE27B500
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27B5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,0_2_0000020AAE27B5B0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE295100 FindFirstFileW,0_2_0000020AAE295100
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2473F0 GetLogicalDriveStringsW,0_2_0000020AAE2473F0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\migration\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\migration\wtr\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.5:49704 -> 45.130.145.152:15666
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.130.145.152:15666
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 45.130.145.152 45.130.145.152
              Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
              Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
              Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownTCP traffic detected without corresponding DNS query: 45.130.145.152
              Source: unknownTCP traffic detected without corresponding DNS query: 45.130.145.152
              Source: unknownTCP traffic detected without corresponding DNS query: 45.130.145.152
              Source: unknownTCP traffic detected without corresponding DNS query: 45.130.145.152
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE244A30 recv,recv,closesocket,WSACleanup,0_2_0000020AAE244A30
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC70C000.00000004.00000020.00020000.00000000.sdmp, ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE245B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,0_2_0000020AAE245B70

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
              Source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
              Source: 00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE249D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,0_2_0000020AAE249D30
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2956F8 NtQuerySystemInformation,0_2_0000020AAE2956F8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE24A430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,0_2_0000020AAE24A430
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE209F800_2_0000020AAE209F80
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2480300_2_0000020AAE248030
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE23F0200_2_0000020AAE23F020
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE22D0800_2_0000020AAE22D080
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE24D0500_2_0000020AAE24D050
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F20B00_2_0000020AAE1F20B0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1EFE200_2_0000020AAE1EFE20
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE262E3C0_2_0000020AAE262E3C
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE245B700_2_0000020AAE245B70
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F4B700_2_0000020AAE1F4B70
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F1B900_2_0000020AAE1F1B90
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FECB00_2_0000020AAE1FECB0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F2CA00_2_0000020AAE1F2CA0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2259700_2_0000020AAE225970
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FCA100_2_0000020AAE1FCA10
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1EF7300_2_0000020AAE1EF730
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2468600_2_0000020AAE246860
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FD5700_2_0000020AAE1FD570
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27B5B00_2_0000020AAE27B5B0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE24C5CB0_2_0000020AAE24C5CB
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FE6100_2_0000020AAE1FE610
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2806580_2_0000020AAE280658
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2476A00_2_0000020AAE2476A0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2053100_2_0000020AAE205310
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2263500_2_0000020AAE226350
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F04500_2_0000020AAE1F0450
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2120F60_2_0000020AAE2120F6
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE25918C0_2_0000020AAE25918C
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2452400_2_0000020AAE245240
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE235EF00_2_0000020AAE235EF0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FBF400_2_0000020AAE1FBF40
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27FFBC0_2_0000020AAE27FFBC
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2630B80_2_0000020AAE2630B8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE217CEB0_2_0000020AAE217CEB
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE234D400_2_0000020AAE234D40
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE250D140_2_0000020AAE250D14
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE258D500_2_0000020AAE258D50
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1C5DB00_2_0000020AAE1C5DB0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FADD00_2_0000020AAE1FADD0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE21BDD00_2_0000020AAE21BDD0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F0E800_2_0000020AAE1F0E80
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F7E700_2_0000020AAE1F7E70
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE240E900_2_0000020AAE240E90
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE211AF00_2_0000020AAE211AF0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE238B000_2_0000020AAE238B00
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26BB900_2_0000020AAE26BB90
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F98CD0_2_0000020AAE1F98CD
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE23C8E00_2_0000020AAE23C8E0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE25A9240_2_0000020AAE25A924
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F3A300_2_0000020AAE1F3A30
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1F0A800_2_0000020AAE1F0A80
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE266A680_2_0000020AAE266A68
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE235AB00_2_0000020AAE235AB0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE21BAB00_2_0000020AAE21BAB0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE220AC00_2_0000020AAE220AC0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2646E40_2_0000020AAE2646E4
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2147200_2_0000020AAE214720
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE24A7800_2_0000020AAE24A780
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE21B7800_2_0000020AAE21B780
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2227500_2_0000020AAE222750
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE25579C0_2_0000020AAE25579C
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE25F7E60_2_0000020AAE25F7E6
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2614E40_2_0000020AAE2614E4
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1E55200_2_0000020AAE1E5520
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2465400_2_0000020AAE246540
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1E65100_2_0000020AAE1E6510
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2555980_2_0000020AAE255598
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1C66100_2_0000020AAE1C6610
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE25666C0_2_0000020AAE25666C
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2686740_2_0000020AAE268674
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2636A80_2_0000020AAE2636A8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE23E2F00_2_0000020AAE23E2F0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26A3C80_2_0000020AAE26A3C8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2553940_2_0000020AAE255394
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2363A60_2_0000020AAE2363A6
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1E83D00_2_0000020AAE1E83D0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE24A4300_2_0000020AAE24A430
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE21C4200_2_0000020AAE21C420
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE23B4200_2_0000020AAE23B420
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE21B4800_2_0000020AAE21B480
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26A44F0_2_0000020AAE26A44F
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE21C0F00_2_0000020AAE21C0F0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1C70E00_2_0000020AAE1C70E0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE25F0D80_2_0000020AAE25F0D8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26C1280_2_0000020AAE26C128
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2531500_2_0000020AAE253150
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1C61800_2_0000020AAE1C6180
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2561640_2_0000020AAE256164
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2671D80_2_0000020AAE2671D8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2512200_2_0000020AAE251220
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2302C00_2_0000020AAE2302C0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: String function: 0000020AAE1F6940 appears 41 times
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: String function: 0000020AAE1EE1D0 appears 33 times
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: String function: 0000020AAE2086B0 appears 57 times
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: String function: 0000020AAE258254 appears 34 times
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: String function: 0000020AAE1EBA80 appears 32 times
              Source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
              Source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
              Source: 00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
              Source: classification engineClassification label: mal100.troj.spyw.winEXE@1/0@1/2
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE24B9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,0_2_0000020AAE24B9B0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FE610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0000020AAE1FE610
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE234ED0 CoCreateInstance,0_2_0000020AAE234ED0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeMutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69637645C654
              Source: ZIOpctBE0o.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ZIOpctBE0o.exeReversingLabs: Detection: 75%
              Source: ZIOpctBE0o.exeVirustotal: Detection: 72%
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: ZIOpctBE0o.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: ZIOpctBE0o.exeStatic file information: File size 2749952 > 1048576
              Source: ZIOpctBE0o.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24bc00
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: ZIOpctBE0o.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: ZIOpctBE0o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: ZIOpctBE0o.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: ZIOpctBE0o.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: ZIOpctBE0o.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: ZIOpctBE0o.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: ZIOpctBE0o.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FD570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_0000020AAE1FD570
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE20CAB2 push rdi; retf 0004h0_2_0000020AAE20CAB5
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE23C600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,0_2_0000020AAE23C600
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27B500 FindClose,FindFirstFileExW,GetLastError,0_2_0000020AAE27B500
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27B5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,0_2_0000020AAE27B5B0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE295100 FindFirstFileW,0_2_0000020AAE295100
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2473F0 GetLogicalDriveStringsW,0_2_0000020AAE2473F0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE259038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,0_2_0000020AAE259038
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\migration\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\migration\wtr\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC70C000.00000004.00000020.00020000.00000000.sdmp, ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeAPI call chain: ExitProcess graph end nodegraph_0-68922
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeAPI call chain: ExitProcess graph end nodegraph_0-68927
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE295708 LdrEnumerateLoadedModules,0_2_0000020AAE295708
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE257F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000020AAE257F68
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE27D804 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_0000020AAE27D804
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE1FD570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_0000020AAE1FD570
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE269EEC GetProcessHeap,0_2_0000020AAE269EEC
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE257F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000020AAE257F68
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE2952E0 SetUnhandledExceptionFilter,0_2_0000020AAE2952E0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26F498 SetUnhandledExceptionFilter,0_2_0000020AAE26F498
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26F2B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000020AAE26F2B8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE23B420 ShellExecuteW,0_2_0000020AAE23B420
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26DF10 cpuid 0_2_0000020AAE26DF10
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: EnumSystemLocalesW,0_2_0000020AAE268F60
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: EnumSystemLocalesW,0_2_0000020AAE269030
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoW,0_2_0000020AAE25E020
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0000020AAE2690C8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: EnumSystemLocalesW,0_2_0000020AAE25DAE0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0000020AAE268C04
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoW,0_2_0000020AAE269518
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0000020AAE26964C
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoW,0_2_0000020AAE269310
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: EnumSystemLocalesW,0_2_0000020AAE2953B8
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoW,EnumSystemLocalesW,RaiseException,0_2_0000020AAE2953A0
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0000020AAE269468
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_0000020AAE27B170
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyNameJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE26F908 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000020AAE26F908
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE246150 GetUserNameW,0_2_0000020AAE246150
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeCode function: 0_2_0000020AAE262E3C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_0000020AAE262E3C

              Stealing of Sensitive Information

              barindex
              Yara detected CredGrabber
              Source: Yara matchFile source: Process Memory Space: ZIOpctBE0o.exe PID: 4712, type: MEMORYSTR
              Yara detected Meduza Stealer
              Source: Yara matchFile source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061379181.0000020AAE5D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ZIOpctBE0o.exe PID: 4712, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum\wallets
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash\wallets
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus\exodus.wallet
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
              Source: ZIOpctBE0o.exe, 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCKJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\ZIOpctBE0o.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected CredGrabber
              Source: Yara matchFile source: Process Memory Space: ZIOpctBE0o.exe PID: 4712, type: MEMORYSTR
              Yara detected Meduza Stealer
              Source: Yara matchFile source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ZIOpctBE0o.exe.20aae1c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061379181.0000020AAE5D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ZIOpctBE0o.exe PID: 4712, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		1
              Access Token Manipulation              		1
              OS Credential Dumping              		12
              System Time Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory31
              Security Software Discovery              		Remote Desktop Protocol1
              Email Collection              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin Shares1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              Account Discovery              		Distributed Component Object Model2
              Data from Local System              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
              System Owner/User Discovery              		SSHKeylogging3
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync3
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem34
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ZIOpctBE0o.exe75%ReversingLabsWin64.Trojan.MeduzaStealer
              ZIOpctBE0o.exe72%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.ipify.org
              		172.67.74.152
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.ipify.org/false
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  45.130.145.152
                  		unknownRussian Federation
                  		49392ASBAXETNRUtrue
                  172.67.74.152
                  		api.ipify.orgUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1617317
                  Start date and time:2025-02-17 18:29:18 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 2m 35s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:2
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:ZIOpctBE0o.exe
                  renamed because original name is a hash value
                  Original Sample Name:de4ed476df7cdbcd737dbd4a8db764cd7d0bca1e6e09748e424645c8a21607d7.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.winEXE@1/0@1/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 81
                  • Number of non-executed functions: 123
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  45.130.145.152pablo.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                    billys.exeGet hashmaliciousMeduza StealerBrowse
                      ruppert.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        apilibx64.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          venomderek.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                              unique.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                  chelentano.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    9RM52QaURq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                      172.67.74.152Setup.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/?format=xml
                                      jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/?format=text
                                      malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                      • api.ipify.org/
                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      Simple2.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                      • api.ipify.org/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      api.ipify.orgcopia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      Doc 1189623388009.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205
                                      play.wav.htmGet hashmaliciousHtmlDropperBrowse
                                      • 104.26.12.205
                                      CheckList Job no.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      http://nodeissuesfix.com/Get hashmaliciousUnknownBrowse
                                      • 104.26.13.205
                                      https://business.secure-accounts-security.com/wp-content/.htaccessGet hashmaliciousUnknownBrowse
                                      • 104.26.12.205
                                      NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.12.205
                                      NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.12.205
                                      2HgZnWGWPe.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                      • 104.26.12.205
                                      7n8jjIFn5M.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                      • 104.26.13.205

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ASBAXETNRU8vNAzcRheC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 45.93.200.175
                                      Setup.exeGet hashmaliciousUnknownBrowse
                                      • 45.93.201.181
                                      1738842483c13df414985ff28eae0e6b09c3d0db7cc5eaeac1623278a4d4c0c8da56993060344.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                      • 45.135.232.38
                                      1738649104be845ad7a6cb80f192f5e9eddca83a4d6a7977b7f05d925d9569b5cf1e82cd77936.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                      • 45.135.232.38
                                      weChateams (3).exeGet hashmaliciousUnknownBrowse
                                      • 212.192.14.53
                                      weChateams (3).exeGet hashmaliciousUnknownBrowse
                                      • 212.192.14.53
                                      t7ezlyhxpf56ojs26xk697l0i4zl1bt.exeGet hashmaliciousI2PRATBrowse
                                      • 193.53.127.246
                                      https://telegrabmm.com/Get hashmaliciousUnknownBrowse
                                      • 193.53.126.69
                                      173715408512e4c3c85b256a83c3a15cc3e6edc1cf7794155c2d2fa3159fed8c9b52869327859.dat-decoded.exeGet hashmaliciousQuasarBrowse
                                      • 45.135.232.38
                                      173715408790e0671373b3dba7df5e0d1c20631f6645499b625784ca27993d6059e2485bda426.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 45.135.232.38
                                      CLOUDFLARENETUShttps://rpqffvhbb.cc.rs6.net/tn.jsp?f=0014kcclQXjPXojT0ti9V52RcXl4z4Vz--beWhEpNrqnLWHxys4qF9LPuo_spJkGtd99wCHXIF8SrjNw5f7C7a4uHYln_cY2bKtw_9grTGpKhyUdMN54rd5jGq9iXvjTQ_1ZqPOlcyaJO5i6eVirYCS-Aw8Yj3ZjuVLOe5I_meMvRPB2ZFMGWUJnIhs01nCTgS6IU1DHYOHg0cPeTM9oCls9zcwREma1URiZR_mcbieP3coMGuF7tAZZKkqIGQi3B0QOls2fxlpqFxzOMHmfXgLkQ==&c=m9vJ9fSAy80r925LymjLMH-zd09aiPFcNFYgM-NaI83_5TV5j31yRA==&ch=metbn8RrmYKdxQqAH_UNs4zoTXwjYFbMJ4QbLNi8NvHcFYJaLDgOEA==Get hashmaliciousHTMLPhisherBrowse
                                      • 188.114.97.3
                                      https://adfs-OZrtY7DQglHoAZotD0jKGmDz9af367vOzfOaftUDQT6I4YZH3E.lumpnk.ru/vXsP8/###9jbuxkemper@louisianaspine.orgGet hashmaliciousUnknownBrowse
                                      • 104.16.2.189
                                      https://www.buildwithbrick.com/Get hashmaliciousAnonymous ProxyBrowse
                                      • 104.17.25.14
                                      https://na4.docusign.net/Signing/EmailStart.aspx?a=3c56b97e-f52b-41fb-a108-03e6f0b98497&etti=24&acct=64ac2e03-602c-40bb-a404-aa2fbcd4cb57&er=c83d01c5-2226-4002-b236-f161c9bed457Get hashmaliciousHTMLPhisherBrowse
                                      • 104.18.87.42
                                      mMS2hfsyJd.imgGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.16.1
                                      2025 Q1 Staff Pay Adjustment-Handbook.pdfGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      poll.exeGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.172.121
                                      SecuriteInfo.com.Win64.Trojan.Agent.SPKBLR.21082.13583.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.0.5
                                      cool.exeGet hashmaliciousDiscord RatBrowse
                                      • 162.159.134.234
                                      cool.exeGet hashmaliciousDiscord RatBrowse
                                      • 162.159.136.234

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37f463bf4616ecd445d4a1937da06e19RFQ_SRC02252017-pdf.scr.exeGet hashmaliciousGuLoaderBrowse
                                      • 172.67.74.152
                                      RFQ_SRC02252017-pdf.scr.exeGet hashmaliciousGuLoaderBrowse
                                      • 172.67.74.152
                                      Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 172.67.74.152
                                      Payment_Swift Copy_ TXR077901844095342_pdf.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                      • 172.67.74.152
                                      updater.exeGet hashmaliciousVidarBrowse
                                      • 172.67.74.152
                                      Request for Quotation TX00171164_pdf.exeGet hashmaliciousGuLoaderBrowse
                                      • 172.67.74.152
                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 172.67.74.152
                                      JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 172.67.74.152
                                      Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 172.67.74.152
                                      facturar.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 172.67.74.152

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Entropy (8bit):3.912212893179806
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:ZIOpctBE0o.exe
                                      File size:2'749'952 bytes
                                      MD5:06ff127c1db7dd45b7e368d8f4ba48e4
                                      SHA1:b11dcbd6d3e9e33046b6f2e1698c595d4a566c67
                                      SHA256:de4ed476df7cdbcd737dbd4a8db764cd7d0bca1e6e09748e424645c8a21607d7
                                      SHA512:5378ffb98c7a1cfa9c74ceb3f2f016f48e96dcce9444cb5d8b84f5f070741e06a5e040225386c7f55e3025d2d39513bd682519f42c4c223b0c3655d79a1d901a
                                      SSDEEP:24576:V9L8hJZ4uB+Ch0lhSMXlXCtNCvyoPyRxsVTcu6WjZEt2WVNW9+y5Q:PL8hD4aunCuxyRxsVT36WeVg+
                                      TLSH:23D5F196B7E404F8E1BB8238C8D60A46E773785603519BCF03A486B62F276D35E3E751
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\7...V...V...V.......V.......V.......V......yV..S....V..S....V..S....V.. ....V..P...<V..S....V...V...V..S....V..S.a..V..S....V.

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x14003e230
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6762C4F4 [Wed Dec 18 12:49:56 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:259e8414ffd4b8ab603913db518e276c

                                      Entrypoint Preview

                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      call 00007FD6E8B3573Ch
                                      dec eax
                                      add esp, 28h
                                      jmp 00007FD6E8B34BAFh
                                      int3
                                      int3
                                      dec eax
                                      sub esp, 28h
                                      dec ebp
                                      mov eax, dword ptr [ecx+38h]
                                      dec eax
                                      mov ecx, edx
                                      dec ecx
                                      mov edx, ecx
                                      call 00007FD6E8B34D42h
                                      mov eax, 00000001h
                                      dec eax
                                      add esp, 28h
                                      ret
                                      int3
                                      int3
                                      int3
                                      inc eax
                                      push ebx
                                      inc ebp
                                      mov ebx, dword ptr [eax]
                                      dec eax
                                      mov ebx, edx
                                      inc ecx
                                      and ebx, FFFFFFF8h
                                      dec esp
                                      mov ecx, ecx
                                      inc ecx
                                      test byte ptr [eax], 00000004h
                                      dec esp
                                      mov edx, ecx
                                      je 00007FD6E8B34D45h
                                      inc ecx
                                      mov eax, dword ptr [eax+08h]
                                      dec ebp
                                      arpl word ptr [eax+04h], dx
                                      neg eax
                                      dec esp
                                      add edx, ecx
                                      dec eax
                                      arpl ax, cx
                                      dec esp
                                      and edx, ecx
                                      dec ecx
                                      arpl bx, ax
                                      dec edx
                                      mov edx, dword ptr [eax+edx]
                                      dec eax
                                      mov eax, dword ptr [ebx+10h]
                                      mov ecx, dword ptr [eax+08h]
                                      dec eax
                                      mov eax, dword ptr [ebx+08h]
                                      test byte ptr [ecx+eax+03h], 0000000Fh
                                      je 00007FD6E8B34D3Dh
                                      movzx eax, byte ptr [ecx+eax+03h]
                                      and eax, FFFFFFF0h
                                      dec esp
                                      add ecx, eax
                                      dec esp
                                      xor ecx, edx
                                      dec ecx
                                      mov ecx, ecx
                                      pop ebx
                                      jmp 00007FD6E8B34776h
                                      int3
                                      inc eax
                                      push ebx
                                      dec eax
                                      sub esp, 20h
                                      dec eax
                                      mov ebx, ecx
                                      xor ecx, ecx
                                      call dword ptr [0000FE37h]
                                      dec eax
                                      mov ecx, ebx
                                      call dword ptr [0000FE26h]
                                      call dword ptr [0000FD90h]
                                      dec eax
                                      mov ecx, eax
                                      mov edx, C0000409h
                                      dec eax
                                      add esp, 20h
                                      pop ebx
                                      dec eax
                                      jmp dword ptr [0000FE1Ch]
                                      dec eax
                                      mov dword ptr [esp+00h], ecx

                                      Rich Headers

                                      Programming Language:
                                      • [IMP] VS2008 build 21022

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x298c040x8c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a30000x1e0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x29e0000x4038.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a40000xad0.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x290d800x38.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x290c400x140.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x438.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x4cdc00x4ce00f0c0ea36bf296498c8b89c1a1671ba6cFalse0.5267625762195122data6.539312086987541IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x4e0000x24ba3a0x24bc0050de05a449d226c717f3fec2f44e509eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x29a0000x330c0x1800d1ebd331d3cf6c8adbb31602bd239ee4False0.1865234375data3.2382802275840623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .pdata0x29e0000x40380x42008411825e2467307cedb8b6c4f15d3cdfFalse0.47123579545454547data5.575992239724539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x2a30000x1e00x200fd7f3c77b3b8152760b71a549e0deae5False0.52734375data4.7113407225994175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x2a40000xad00xc0049c311309af6d41eb0a329b47e6c6fccFalse0.4716796875data5.228340394510781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_MANIFEST0x2a30600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                      Imports

                                      DLLImport
                                      ntdll.dllRtlImageDirectoryEntryToData, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlCompareMemory, NtProtectVirtualMemory, RtlImageNtHeader, NtQueryVirtualMemory, RtlGetNtVersionNumbers
                                      KERNEL32.dllFreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualFree, VirtualAlloc, GetModuleHandleW, LoadLibraryA, ReadFile, WriteFile, CreateFileW, CloseHandle, GetProcAddress, GetCurrentProcess, FlushInstructionCache, VirtualQuery, WriteProcessMemory, EnterCriticalSection, GetModuleFileNameW, LeaveCriticalSection, GetModuleHandleA, MultiByteToWideChar, GetWindowsDirectoryW, ExitProcess, WideCharToMultiByte, GetLastError, SetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, CreateThread, ExitThread, FreeLibrary, FreeLibraryAndExitThread, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetCurrentThreadId, DeleteCriticalSection, GetStdHandle, GetFileType, GetStartupInfoW, RaiseException, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, LoadLibraryExW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, HeapSize, GetProcessHeap, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadConsoleW, WriteConsoleW, GetCurrentProcessId, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, WakeAllConditionVariable, QueryPerformanceCounter, LCMapStringEx, DecodePointer, InitializeCriticalSectionEx, GetFileInformationByHandleEx, FormatMessageA, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, Sleep, WaitForSingleObjectEx, GetExitCodeThread, LocalFree, GetLocaleInfoEx, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, AreFileApisANSI
                                      USER32.dllLoadAcceleratorsW, LoadAcceleratorsA
                                      ADVAPI32.dllGetTokenInformation, OpenProcessToken
                                      OLEAUT32.dllSysAllocString, SafeArrayPutElement, SafeArrayUnaccessData, SafeArrayCreate, SafeArrayCreateVector, SafeArrayAccessData, SysFreeString, SafeArrayDestroy
                                      mscoree.dllCLRCreateInstance

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-02-17T18:30:13.148487+01002049441ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt1192.168.2.54970445.130.145.15215666TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 17, 2025 18:30:10.528496027 CET4970415666192.168.2.545.130.145.152
                                      Feb 17, 2025 18:30:10.533396959 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:10.533485889 CET4970415666192.168.2.545.130.145.152
                                      Feb 17, 2025 18:30:10.605797052 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:10.605829954 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:10.605928898 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:10.610047102 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:10.610063076 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.126189947 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.126384974 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.177779913 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.177792072 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.178112030 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.178174973 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.179188967 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.219342947 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.293956995 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.294008970 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:11.294040918 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.294068098 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.294377089 CET49705443192.168.2.5172.67.74.152
                                      Feb 17, 2025 18:30:11.294392109 CET44349705172.67.74.152192.168.2.5
                                      Feb 17, 2025 18:30:12.294346094 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:12.294400930 CET4970415666192.168.2.545.130.145.152
                                      Feb 17, 2025 18:30:13.148487091 CET4970415666192.168.2.545.130.145.152
                                      Feb 17, 2025 18:30:13.153568029 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153578043 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153646946 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153655052 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153719902 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153728008 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153804064 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153812885 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153822899 CET156664970445.130.145.152192.168.2.5
                                      Feb 17, 2025 18:30:13.153840065 CET156664970445.130.145.152192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 17, 2025 18:30:10.593039036 CET5837053192.168.2.51.1.1.1
                                      Feb 17, 2025 18:30:10.600085974 CET53583701.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Feb 17, 2025 18:30:10.593039036 CET192.168.2.51.1.1.10xd0eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Feb 17, 2025 18:30:10.600085974 CET1.1.1.1192.168.2.50xd0eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                      Feb 17, 2025 18:30:10.600085974 CET1.1.1.1192.168.2.50xd0eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                      Feb 17, 2025 18:30:10.600085974 CET1.1.1.1192.168.2.50xd0eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • api.ipify.org

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549705172.67.74.1524434712C:\Users\user\Desktop\ZIOpctBE0o.exe
                                      TimestampBytes transferredDirectionData
                                      2025-02-17 17:30:11 UTC100OUTGET / HTTP/1.1
                                      Accept: text/html; text/plain; */*
                                      Host: api.ipify.org
                                      Cache-Control: no-cache
                                      2025-02-17 17:30:11 UTC424INHTTP/1.1 200 OK
                                      Date: Mon, 17 Feb 2025 17:30:11 GMT
                                      Content-Type: text/plain
                                      Content-Length: 12
                                      Connection: close
                                      Vary: Origin
                                      cf-cache-status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 913780fc3e678c65-EWR
                                      server-timing: cfL4;desc="?proto=TCP&rtt=3030&min_rtt=3030&rtt_var=1515&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4178&recv_bytes=738&delivery_rate=167354&cwnd=209&unsent_bytes=0&cid=c527213b0cac8a0f&ts=192&x=0"
                                      2025-02-17 17:30:11 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                      Data Ascii: 8.46.123.189


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:12:30:09
                                      Start date:17/02/2025
                                      Path:C:\Users\user\Desktop\ZIOpctBE0o.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\ZIOpctBE0o.exe"
                                      Imagebase:0x7ff6cfe50000
                                      File size:2'749'952 bytes
                                      MD5 hash:06FF127C1DB7DD45B7E368D8F4BA48E4
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.2060727680.0000020AAC68C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.2061379181.0000020AAE5D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: infostealer_win_meduzastealer, Description: Finds MeduzaStealer samples based on specific strings, Source: 00000000.00000002.2061153206.0000020AAE1C0000.00000040.00001000.00020000.00000000.sdmp, Author: Sekoia.io
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >