Windows Analysis Report
injectorQWEEX.exe

Overview

General Information

Sample name:	injectorQWEEX.exe (renamed file extension from bin to exe)
Original sample name:	injectorQWEEX.bin
Analysis ID:	1630529
MD5:	d44daf1beea1a9ed0cc2eeacd2bfbd5c
SHA1:	22e54e3272ada9a1546e80e10ff73425da5e1ab5
SHA256:	b2fc6d0c50f49c03a0f7863ca82036d09a74a275080ae5aebe7131582a893612
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Found malware configuration

Source: injectorQWEEX.exe.1304.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:23000"}

Multi AV Scanner detection for submitted file

Source: injectorQWEEX.exe

Virustotal: Detection: 47%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses 32bit PE files

Source: injectorQWEEX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injectorQWEEX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbF source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb^I source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D36370 FindFirstFileExW,

0_2_00D36370

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.15.156.127:23000

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49751 -> 45.15.156.127:23000

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 45.15.156.127 45.15.156.127

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/exa
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1LR
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1ResponsetYHq
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2D
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2LR
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2d
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2rm
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3LR
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3nm
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

Detected potential crypto function

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2C4D0	0_2_00D2C4D0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D28890	0_2_00D28890
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D274B0	0_2_00D274B0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2EC50	0_2_00D2EC50
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D1A840	0_2_00D1A840
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26030	0_2_00D26030
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2B030	0_2_00D2B030
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D25C20	0_2_00D25C20
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2A1E0	0_2_00D2A1E0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D295E0	0_2_00D295E0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D19DB0	0_2_00D19DB0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D3D151	0_2_00D3D151
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2B6C0	0_2_00D2B6C0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2BA90	0_2_00D2BA90
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D156B0	0_2_00D156B0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D27660	0_2_00D27660
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D1DA10	0_2_00D1DA10
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D253D0	0_2_00D253D0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26BC0	0_2_00D26BC0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D29B10	0_2_00D29B10
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D24B10	0_2_00D24B10
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26730	0_2_00D26730
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2E730	0_2_00D2E730
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D28F20	0_2_00D28F20
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26320	0_2_00D26320
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_03340870	0_2_03340870
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_03340880	0_2_03340880
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_03347668	0_2_03347668
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0334765A	0_2_0334765A
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_069475B8	0_2_069475B8
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694A3F8	0_2_0694A3F8
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694A3EA	0_2_0694A3EA
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_069481F8	0_2_069481F8

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: String function: 00D2FDB0 appears 33 times

Sample file is different than original file name gathered from version info

Source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25524783931.00000000010D5000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25526194072.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25525360540.00000000012C6000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe

Uses 32bit PE files

Source: injectorQWEEX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: injectorQWEEX.exe

Static PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/0@0/1

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: injectorQWEEX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injectorQWEEX.exe

Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\injectorQWEEX.exe "C:\Users\user\Desktop\injectorQWEEX.exe"
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: mswsock.dll	Jump to behavior

Source: injectorQWEEX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: injectorQWEEX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbF source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb^I source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

PE file contains an invalid checksum

Source: injectorQWEEX.exe

Static PE information: real checksum: 0xe574a should be: 0xf2fa3

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D3D861 push ecx; ret	0_2_00D3D874
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0334F4F0 push esp; retf	0_2_0334F4F1
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694DEC8 push es; retf	0_2_0694DF7C
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06946A60 push es; retn 0004h	0_2_06946FB0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694F280 push es; ret	0_2_0694F290
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06946FA0 push es; retn 0004h	0_2_06946FB0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06941C10 push es; ret	0_2_06941C20
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06941BB0 push es; ret	0_2_06941BE0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06941BF0 push es; ret	0_2_06941C00
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694E88A push eax; ret	0_2_0694E891

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Memory allocated: 3540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Memory allocated: 3480000 memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Window / User API: threadDelayed 9986

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\injectorQWEEX.exe

API coverage: 7.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\injectorQWEEX.exe TID: 1080

Thread sleep count: 9986 > 30

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D36370 FindFirstFileExW,

0_2_00D36370

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliis

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D33BE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D33BE6

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D385F3 GetProcessHeap,

0_2_00D385F3

Enables debug privileges

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Process token adjusted: Debug

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2FCEC SetUnhandledExceptionFilter,	0_2_00D2FCEC
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2F6B2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D2F6B2
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D33BE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D33BE6
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2FB90 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D2FB90

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Memory allocated: page read and write | page guard

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D2FDF5 cpuid

0_2_00D2FDF5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D2FA77 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D2FA77

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: injectorQWEEX.exe PID: 1304, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: injectorQWEEX.exe PID: 1304, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.15.156.127	unknown	Russian Federation		39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.15.156.127:23000	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: injectorQWEEX.exe.1304.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:23000"}

Multi AV Scanner detection for submitted file

Source: injectorQWEEX.exe

Virustotal: Detection: 47%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses 32bit PE files

Source: injectorQWEEX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injectorQWEEX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbF source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb^I source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D36370 FindFirstFileExW,

0_2_00D36370

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.15.156.127:23000

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49751 -> 45.15.156.127:23000

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 45.15.156.127 45.15.156.127

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/exa
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1LR
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1ResponsetYHq
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2D
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2LR
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2d
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2rm
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3LR
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3nm
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

Detected potential crypto function

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2C4D0	0_2_00D2C4D0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D28890	0_2_00D28890
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D274B0	0_2_00D274B0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2EC50	0_2_00D2EC50
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D1A840	0_2_00D1A840
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26030	0_2_00D26030
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2B030	0_2_00D2B030
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D25C20	0_2_00D25C20
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2A1E0	0_2_00D2A1E0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D295E0	0_2_00D295E0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D19DB0	0_2_00D19DB0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D3D151	0_2_00D3D151
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2B6C0	0_2_00D2B6C0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2BA90	0_2_00D2BA90
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D156B0	0_2_00D156B0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D27660	0_2_00D27660
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D1DA10	0_2_00D1DA10
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D253D0	0_2_00D253D0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26BC0	0_2_00D26BC0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D29B10	0_2_00D29B10
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D24B10	0_2_00D24B10
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26730	0_2_00D26730
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2E730	0_2_00D2E730
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D28F20	0_2_00D28F20
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D26320	0_2_00D26320
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_03340870	0_2_03340870
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_03340880	0_2_03340880
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_03347668	0_2_03347668
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0334765A	0_2_0334765A
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_069475B8	0_2_069475B8
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694A3F8	0_2_0694A3F8
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694A3EA	0_2_0694A3EA
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_069481F8	0_2_069481F8

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: String function: 00D2FDB0 appears 33 times

Sample file is different than original file name gathered from version info

Source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25524783931.00000000010D5000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25526194072.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000002.25525360540.00000000012C6000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs injectorQWEEX.exe
Source: injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe

Uses 32bit PE files

Source: injectorQWEEX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: injectorQWEEX.exe

Static PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/0@0/1

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: injectorQWEEX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injectorQWEEX.exe

Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\injectorQWEEX.exe "C:\Users\user\Desktop\injectorQWEEX.exe"
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Section loaded: mswsock.dll	Jump to behavior

Source: injectorQWEEX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: injectorQWEEX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbF source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb^I source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

PE file contains an invalid checksum

Source: injectorQWEEX.exe

Static PE information: real checksum: 0xe574a should be: 0xf2fa3

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D3D861 push ecx; ret	0_2_00D3D874
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0334F4F0 push esp; retf	0_2_0334F4F1
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694DEC8 push es; retf	0_2_0694DF7C
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06946A60 push es; retn 0004h	0_2_06946FB0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694F280 push es; ret	0_2_0694F290
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06946FA0 push es; retn 0004h	0_2_06946FB0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06941C10 push es; ret	0_2_06941C20
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06941BB0 push es; ret	0_2_06941BE0
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_06941BF0 push es; ret	0_2_06941C00
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_0694E88A push eax; ret	0_2_0694E891

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Memory allocated: 3540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Memory allocated: 3480000 memory reserve \| memory write watch	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Window / User API: threadDelayed 9986

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\injectorQWEEX.exe

API coverage: 7.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\injectorQWEEX.exe TID: 1080

Thread sleep count: 9986 > 30

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D36370 FindFirstFileExW,

0_2_00D36370

Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliis

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D33BE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D33BE6

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D385F3 GetProcessHeap,

0_2_00D385F3

Enables debug privileges

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Process token adjusted: Debug

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2FCEC SetUnhandledExceptionFilter,	0_2_00D2FCEC
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2F6B2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D2F6B2
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D33BE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D33BE6
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Code function: 0_2_00D2FB90 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D2FB90

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Memory allocated: page read and write | page guard

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D2FDF5 cpuid

0_2_00D2FDF5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\injectorQWEEX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Code function: 0_2_00D2FA77 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D2FA77

Source: C:\Users\user\Desktop\injectorQWEEX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: injectorQWEEX.exe PID: 1304, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: injectorQWEEX.exe PID: 1304, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE

ID:	1630529
Product:	CloudBasic
Start time:	01:31:32
Start date:	06.03.2025
Sample:	injectorQWEEX.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	d44daf1beea1a9ed0cc2eeacd2bfbd5c
SHA1:	22e54e3272ada9a1546e80e10ff73425da5e1ab5
SHA256:	b2fc6d0c50f49c03a0f7863ca82036d09a74a275080ae5aebe7131582a893612
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
injectorQWEEX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report injectorQWEEX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
injectorQWEEX.exe

Malware Threat Intel
Provided by