Edit tour

Windows Analysis Report
reset.exe

Overview

General Information

Sample name:	reset.exe
Analysis ID:	1628819
MD5:	6a5f3230a1256c3a71744caedf7d92c8
SHA1:	66a090d8f54df6a877e08d9b7a3e4c8fad840dd9
SHA256:	0af17fce3bccc8c202b23b3b3e6275ea1d23678e0a615ee566a496f909f1e819
Tags:	exegithubuser-skocherhan
Infos:

Detection

AveMaria, Clipboard Hijacker, StormKitty

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AveMaria stealer

Yara detected Clipboard Hijacker

Yara detected StormKitty Stealer

Check if machine is in data center or colocation facility

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

reset.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\reset.exe" MD5: 6A5F3230A1256C3A71744CAEDF7D92C8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
reset.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x45a28:$x2: https://github.com/LimerBoy/StormKitty 0x44875:$x3: StormKitty 0x453c1:$x3: StormKitty 0x45a18:$x3: StormKitty 0x45a44:$x3: StormKitty

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3759956115.0000000003BF0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x671f9:$x2: https://github.com/LimerBoy/StormKitty 0x23ac:$x3: StormKitty 0x65338:$x3: StormKitty 0x671e9:$x3: StormKitty 0x67215:$x3: StormKitty
00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_4	Yara detected Clipboard Hijacker	Joe Security
00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x106d0:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: reset.exe PID: 3868	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: reset.exe PID: 3868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: reset.exe PID: 3868	JoeSecurity_Clipboard_Hijacker_4	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: reset.exe PID: 3868	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: reset.exe PID: 3868	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1aaf7:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x1ab47:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.reset.exe.3bf0000.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x671f9:$x2: https://github.com/LimerBoy/StormKitty 0x23ac:$x3: StormKitty 0x65338:$x3: StormKitty 0x671e9:$x3: StormKitty 0x67215:$x3: StormKitty
4.2.reset.exe.3bf0000.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x643f9:$x2: https://github.com/LimerBoy/StormKitty 0x5ac:$x3: StormKitty 0x62538:$x3: StormKitty 0x643e9:$x3: StormKitty 0x64415:$x3: StormKitty
4.0.reset.exe.d20000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x45a28:$x2: https://github.com/LimerBoy/StormKitty 0x44875:$x3: StormKitty 0x453c1:$x3: StormKitty 0x45a18:$x3: StormKitty 0x45a44:$x3: StormKitty

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE StormKitty Download Request With Minimal Headers

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T06:36:31.932315+0100	2044965	1	A Network Trojan was detected	192.168.2.7	49720	185.199.111.133	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T06:36:31.932315+0100	2803305	3	Unknown Traffic	192.168.2.7	49720	185.199.111.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: reset.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: reset.exe	ReversingLabs: Detection: 71%
Source: reset.exe	Virustotal: Detection: 41%			Perma Link

Yara detected AveMaria stealer

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: unknown

HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49703 version: TLS 1.2

Source: reset.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044965 - Severity 1 - ET MALWARE StormKitty Download Request With Minimal Headers : 192.168.2.7:49720 -> 185.199.111.133:443

Source: global traffic	HTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 185.199.111.133 185.199.111.133

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49720 -> 185.199.111.133:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 6BCD:277C4A:105DC62:14E74B7:67C6915CAccept-Ranges: bytesDate: Tue, 04 Mar 2025 05:36:29 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740038-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1741066589.042105,VS0,VE35Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: d1a75b155f60981db1539cfdb3ccd4dd71195e0bExpires: Tue, 04 Mar 2025 05:41:29 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 6BCD:277C4A:105DC62:14E74B7:67C6915CAccept-Ranges: bytesDate: Tue, 04 Mar 2025 05:36:31 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740066-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1741066592.884539,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: d42d2c2d001e44aa219c35540b552f5bc68000a1Expires: Tue, 04 Mar 2025 05:41:31 GMTSource-Age: 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 79A4:1E905F:CBE4C0:100D8DD:67C69160Accept-Ranges: bytesDate: Tue, 04 Mar 2025 05:36:34 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890028-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1741066595.730012,VS0,VE11Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: e2d3020ccd9622e2210fff2d654f7df3933c0eebExpires: Tue, 04 Mar 2025 05:41:34 GMTSource-Age: 0

Source: reset.exe, 00000004.00000002.3760159304.00000000043EA000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000004.00000002.3760159304.0000000004479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: reset.exe, 00000004.00000002.3760159304.00000000043EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=h
Source: reset.exe, 00000004.00000002.3760159304.00000000043EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: reset.exe, 00000004.00000002.3760159304.0000000004514000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000004.00000002.3760159304.0000000004536000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000004.00000002.3760159304.0000000004587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: reset.exe, 00000004.00000002.3760159304.00000000043EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: reset.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: reset.exe, 00000004.00000002.3760159304.0000000004501000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000004.00000002.3760159304.0000000004536000.00000004.00000800.00020000.00000000.sdmp, reset.exe, 00000004.00000002.3760159304.0000000004587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49703 version: TLS 1.2

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: reset.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 4.2.reset.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 4.2.reset.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 4.0.reset.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000004.00000002.3759956115.0000000003BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\reset.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C0568	4_2_00007FFAAC7C0568
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C76F8	4_2_00007FFAAC7C76F8
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C089D	4_2_00007FFAAC7C089D
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C78E5	4_2_00007FFAAC7C78E5
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C0500	4_2_00007FFAAC7C0500
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7CB661	4_2_00007FFAAC7CB661
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C7AB3	4_2_00007FFAAC7C7AB3
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C7789	4_2_00007FFAAC7C7789
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C7C8F	4_2_00007FFAAC7C7C8F
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7CB4B5	4_2_00007FFAAC7CB4B5
Source: C:\Users\user\Desktop\reset.exe	Code function: 4_2_00007FFAAC7C8CAE	4_2_00007FFAAC7C8CAE

Source: reset.exe

Static PE information: No import functions for PE file found

Source: reset.exe, 00000004.00000002.3759956115.0000000003BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameStormKitty.exe* vs reset.exe
Source: reset.exe	Binary or memory string: OriginalFilenameStormKitty.exe* vs reset.exe

Source: reset.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 4.2.reset.exe.3bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 4.2.reset.exe.3bf0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 4.0.reset.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000004.00000002.3759956115.0000000003BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: reset.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@2/2

Source: C:\Users\user\Desktop\reset.exe

File created: C:\Users\user\AppData\Local\4e1609b1a476f5f88480b1697eb8b336

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\reset.exe	Mutant created: \Sessions\1\BaseNamedObjects\09B668B429A4BF3829B4833B450D1584

Source: C:\Users\user\Desktop\reset.exe

File created: C:\Users\user\AppData\Local\Temp\StormKitty-Latest.log

Jump to behavior

Source: reset.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: reset.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\reset.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: reset.exe	ReversingLabs: Detection: 71%
Source: reset.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\reset.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: reset.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: reset.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: reset.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: reset.exe

Static PE information: section name: .text entropy: 7.986615672208267

Source: C:\Users\user\Desktop\reset.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: reset.exe, 00000004.00000002.3760159304.00000000044F9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\reset.exe	Memory allocated: 1690000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Memory allocated: 1C070000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599738	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599616	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599400	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599284	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599153	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598914	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598798	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598682	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598566	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598428	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598181	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598065	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597927	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597679	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597448	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597089	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596726	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596334	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596197	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596072	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595958	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595824	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595586	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595238	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595100	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594992	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594884	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594768	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594648	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594536	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594398	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594166	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594050	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593919	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593796	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593680	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593564	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593448	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593332	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593194	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593078	Jump to behavior

Source: C:\Users\user\Desktop\reset.exe	Window / User API: threadDelayed 2858			Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Window / User API: threadDelayed 6934			Jump to behavior

Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599738s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599616s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599284s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599153s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -599030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598914s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598798s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598682s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598566s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598428s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598181s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -598065s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597927s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597679s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -597089s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -596726s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -596334s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -596197s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -596072s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595958s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595824s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595238s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -595100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594992s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594768s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594648s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594536s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594398s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594166s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -594050s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593680s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593564s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593332s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593194s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe TID: 7456	Thread sleep time: -593078s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\reset.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599738	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599616	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599400	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599284	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599153	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598914	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598798	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598682	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598566	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598428	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598181	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 598065	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597927	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597679	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597448	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 597089	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596726	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596334	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596197	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 596072	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595958	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595824	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595586	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595238	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 595100	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594992	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594884	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594768	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594648	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594536	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594398	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594166	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 594050	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593919	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593796	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593680	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593564	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593448	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593332	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593194	Jump to behavior
Source: C:\Users\user\Desktop\reset.exe	Thread delayed: delay time: 593078	Jump to behavior

Source: reset.exe, 00000004.00000002.3760159304.00000000044F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: reset.exe, 00000004.00000002.3760159304.00000000044F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: reset.exe, 00000004.00000002.3765243949.000000001EE90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\reset.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

Queries volume information: C:\Users\user\Desktop\reset.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\reset.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Yara detected Clipboard Hijacker

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx5
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: reset.exe, 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 00000004.00000002.3760159304.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reset.exe PID: 3868, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	161 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	161 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
reset.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report reset.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
reset.exe