Loading ...

Play interactive tourEdit tour

Analysis Report 8s7bEDfYhT.exe

Overview

General Information

Sample Name:8s7bEDfYhT.exe
Analysis ID:397819
MD5:e0f6d15001d810320bbe9614c9365ca6
SHA1:f589ae105a5b33e6fcca8afc7f8688652f7c5392
SHA256:f009a71cf1050cc8c50a9b1accf3e28f174e75eda5f5ebb4764d90baa443aa9c
Tags:exeFickerStealer
Infos:

Most interesting Screenshot:

Detection

Ficker Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ficker Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Is looking for software installed on the system
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 8s7bEDfYhT.exe (PID: 6520 cmdline: 'C:\Users\user\Desktop\8s7bEDfYhT.exe' MD5: E0F6D15001D810320BBE9614C9365CA6)
    • 8s7bEDfYhT.exe (PID: 6572 cmdline: 'C:\Users\user\Desktop\8s7bEDfYhT.exe' MD5: E0F6D15001D810320BBE9614C9365CA6)
  • cleanup

Malware Configuration

Threatname: Ficker Stealer

{"C2 list": ["sodaandcoke.top:80"], "Mutex": ["serhershesrhsfesrf"], "Blacklist Country": ["ru-RU", "be-BY", "uz-UZ", "ua-UA", "hy-AM", "kk-KZ", "az-AZ"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpJoeSecurity_Ficker_Stealer_1Yara detected Ficker StealerJoe Security
    Process Memory Space: 8s7bEDfYhT.exe PID: 6572JoeSecurity_Ficker_Stealer_1Yara detected Ficker StealerJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 2.2.8s7bEDfYhT.exe.4915a0.1.raw.unpackMalware Configuration Extractor: Ficker Stealer {"C2 list": ["sodaandcoke.top:80"], "Mutex": ["serhershesrhsfesrf"], "Blacklist Country": ["ru-RU", "be-BY", "uz-UZ", "ua-UA", "hy-AM", "kk-KZ", "az-AZ"]}
      Multi AV Scanner detection for domain / URLShow sources
      Source: sodaandcoke.topVirustotal: Detection: 6%Perma Link
      Source: sodaandcoke.top:80Virustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: 8s7bEDfYhT.exeVirustotal: Detection: 55%Perma Link
      Source: 8s7bEDfYhT.exeReversingLabs: Detection: 89%
      Machine Learning detection for sampleShow sources
      Source: 8s7bEDfYhT.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040BA42 CryptUnprotectData,memmove,LocalFree,3_2_0040BA42
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040CECA CryptUnprotectData,memmove,LocalFree,3_2_0040CECA

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeUnpacked PE file: 3.2.8s7bEDfYhT.exe.400000.0.unpack
      Source: 8s7bEDfYhT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042BBF8 memset,FindFirstFileW,memcpy,memcpy,GetLastError,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memmove,memcpy,memcpy,memcpy,memmove,CloseHandle,memcpy,memcpy,3_2_0042BBF8

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031132 ET TROJAN Win32/Ficker Stealer Activity M3 192.168.2.6:49714 -> 35.203.73.169:80
      Source: TrafficSnort IDS: 2031132 ET TROJAN Win32/Ficker Stealer Activity M3 192.168.2.6:49722 -> 35.203.73.169:80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: sodaandcoke.top:80
      May check the online IP address of the machineShow sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeDNS query: name: api.ipify.org
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeDNS query: name: api.ipify.org
      Source: Joe Sandbox ViewIP Address: 54.225.155.255 54.225.155.255
      Source: Joe Sandbox ViewIP Address: 54.225.155.255 54.225.155.255
      Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042A675 recv,WSAGetLastError,WSAGetLastError,3_2_0042A675
      Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: rsion":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*G[o equals www.facebook.com (Facebook)
      Source: unknownDNS traffic detected: queries for: api.ipify.org
      Source: 8s7bEDfYhT.exe, 00000003.00000003.339905061.00000000007E9000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/?format=xml
      Source: 8s7bEDfYhT.exe, 00000003.00000003.339794600.0000000000827000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/?format=xmliC:
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInst9n
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350451817.000000000082F000.00000004.00000020.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
      Source: 8s7bEDfYhT.exe, 00000003.00000003.339794600.0000000000827000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
      Source: 8s7bEDfYhT.exe, 00000003.00000003.339808670.000000000082F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350451817.000000000082F000.00000004.00000020.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
      Source: 8s7bEDfYhT.exe, 00000003.00000003.339808670.000000000082F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004157AC LoadLibraryA,GetProcAddress,GetProcAddress,CreateMutexA,memset,GetUserDefaultLocaleName,LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,memset,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,GetLastError,GetComputerNameW,GetDesktopWindow,GetWindowRect,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesW,GetTimeZoneInformation,GetKeyboardLayoutList,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CloseHandle,CloseHandle,GetProcessHeap,GetSystemMetrics,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,closesocket,closesocket,memset,SetLastError,GetTempPathW,GetLastError,GetLastError,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessA,closesocket,GetLastError,3_2_004157AC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00429350: GetFileInformationByHandle,memset,DeviceIoControl,3_2_00429350
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0041D8142_2_0041D814
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004200382_2_00420038
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004208E12_2_004208E1
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0042110D2_2_0042110D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004192A42_2_004192A4
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00408B772_2_00408B77
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00420CED2_2_00420CED
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004045072_2_00404507
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0042050D2_2_0042050D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00408D1F2_2_00408D1F
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0040D5ED2_2_0040D5ED
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00413D802_2_00413D80
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040F96C3_2_0040F96C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004122893_2_00412289
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042BBF83_2_0042BBF8
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040E7EC3_2_0040E7EC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004157AC3_2_004157AC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004250E13_2_004250E1
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004220983_2_00422098
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042F0A13_2_0042F0A1
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004261643_2_00426164
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042217F3_2_0042217F
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042D9123_2_0042D912
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042F9AC3_2_0042F9AC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004302083_2_00430208
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040720C3_2_0040720C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042FACC3_2_0042FACC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040B2803_2_0040B280
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040A3313_2_0040A331
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042F3E53_2_0042F3E5
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00432B943_2_00432B94
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004203A83_2_004203A8
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00430BA83_2_00430BA8
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042E4573_2_0042E457
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0043146B3_2_0043146B
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00409C723_2_00409C72
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004304C33_2_004304C3
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00406C9D3_2_00406C9D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004144B23_2_004144B2
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00409D653_2_00409D65
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042DD6A3_2_0042DD6A
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042051D3_2_0042051D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00430DC23_2_00430DC2
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00432DDA3_2_00432DDA
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042FDA23_2_0042FDA2
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042EE403_2_0042EE40
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042E6823_2_0042E682
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040A6A73_2_0040A6A7
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042EF653_2_0042EF65
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040BF7C3_2_0040BF7C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: String function: 0040CECF appears 45 times
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: String function: 004041C4 appears 71 times
      Source: 8s7bEDfYhT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 8s7bEDfYhT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350370946.00000000007A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 8s7bEDfYhT.exe
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350366600.0000000000790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 8s7bEDfYhT.exe
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350376966.00000000007B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 8s7bEDfYhT.exe
      Source: 8s7bEDfYhT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 8s7bEDfYhT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@3/2@3/2
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00426164 memset,GetModuleHandleW,FormatMessageW,GetLastError,3_2_00426164
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004157AC LoadLibraryA,GetProcAddress,GetProcAddress,CreateMutexA,memset,GetUserDefaultLocaleName,LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,memset,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,GetLastError,GetComputerNameW,GetDesktopWindow,GetWindowRect,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesW,GetTimeZoneInformation,GetKeyboardLayoutList,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CloseHandle,CloseHandle,GetProcessHeap,GetSystemMetrics,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,closesocket,closesocket,memset,SetLastError,GetTempPathW,GetLastError,GetLastError,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessA,closesocket,GetLastError,3_2_004157AC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0044CFD0 GetCompressedFileSizeA,OpenWaitableTimerW,GetConsoleAliasW,SetFileTime,GlobalFindAtomW,DisconnectNamedPipe,FindAtomW,GlobalUnlock,GetModuleHandleExW,GetCurrentProcess,FileTimeToSystemTime,_wscanf,SetTimeZoneInformation,SetTapeParameters,GlobalWire,TzSpecificLocalTimeToSystemTime,SetWaitableTimer,_calloc,_calloc,_wscanf,_memset,__vswprintf_c_l,_calloc,_feof,LocalAlloc,lstrcatW,GetModuleHandleW,GetProcAddress,VirtualProtect,SetSystemTimeAdjustment,GetFileAttributesW,TerminateProcess,SizeofResource,InterlockedIncrement,InterlockedIncrement,SetFileAttributesA,WriteConsoleOutputCharacterW,SetFileAttributesA,WriteConsoleOutputCharacterW,OpenWaitableTimerW,GetAtomNameA,SetConsoleScreenBufferSize,GetAtomNameA,SetConsoleScreenBufferSize,2_2_0044CFD0
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90Jump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeMutant created: \Sessions\1\BaseNamedObjects\serhershesrhsfesrf
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: rI2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: 3xm,2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: D&732_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: e%{2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: 6VNm2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: NUpV2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: W$}2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: 0\h2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: &8Z\2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: @)S2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: [>"T2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: c^cF2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: BUsf2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: o.`2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: d3L{2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: sI2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: 29ws2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: O^a'2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: ~7]2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: O^a'2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: 7^U2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: -R^2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: eG:i2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: ,qkN2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: 6fL2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: rh2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: a^Ze2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: &on+2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: Tem2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: ;a2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: v4Q32_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: jCV]2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: cB2_2_0044D420
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCommand line argument: xl_2_2_0044D420
      Source: 8s7bEDfYhT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 8s7bEDfYhT.exeVirustotal: Detection: 55%
      Source: 8s7bEDfYhT.exeReversingLabs: Detection: 89%
      Source: unknownProcess created: C:\Users\user\Desktop\8s7bEDfYhT.exe 'C:\Users\user\Desktop\8s7bEDfYhT.exe'
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeProcess created: C:\Users\user\Desktop\8s7bEDfYhT.exe 'C:\Users\user\Desktop\8s7bEDfYhT.exe'
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeProcess created: C:\Users\user\Desktop\8s7bEDfYhT.exe 'C:\Users\user\Desktop\8s7bEDfYhT.exe' Jump to behavior

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeUnpacked PE file: 3.2.8s7bEDfYhT.exe.400000.0.unpack .text:ER;.data:W;.kug:R;.tls:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.rdata:R;/4:R;.bss:W;.idata:W;.CRT:W;.tls:W;
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeUnpacked PE file: 3.2.8s7bEDfYhT.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004112C5 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,2_2_004112C5
      Source: 8s7bEDfYhT.exeStatic PE information: section name: .kug
      Source: 8s7bEDfYhT.exeStatic PE information: section name: .new
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00404209 push ecx; ret 2_2_0040421C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0047BA98 push AF0044FCh; retf 0041h2_2_0047BA9D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004034D9 push ecx; ret 2_2_004034EC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00435DC0 push dword ptr [eax+04h]; ret 3_2_00435DEF
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00437605 push ss; ret 3_2_00437606
      Source: initial sampleStatic PE information: section name: .text entropy: 7.54573831986
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004157AC LoadLibraryA,GetProcAddress,GetProcAddress,CreateMutexA,memset,GetUserDefaultLocaleName,LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,memset,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,GetLastError,GetComputerNameW,GetDesktopWindow,GetWindowRect,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesW,GetTimeZoneInformation,GetKeyboardLayoutList,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CloseHandle,CloseHandle,GetProcessHeap,GetSystemMetrics,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,closesocket,closesocket,memset,SetLastError,GetTempPathW,GetLastError,GetLastError,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessA,closesocket,GetLastError,3_2_004157AC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0042BBF8 memset,FindFirstFileW,memcpy,memcpy,GetLastError,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memmove,memcpy,memcpy,memcpy,memmove,CloseHandle,memcpy,memcpy,3_2_0042BBF8
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004157AC LoadLibraryA,GetProcAddress,GetProcAddress,CreateMutexA,memset,GetUserDefaultLocaleName,LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,memset,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,GetLastError,GetComputerNameW,GetDesktopWindow,GetWindowRect,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesW,GetTimeZoneInformation,GetKeyboardLayoutList,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CloseHandle,CloseHandle,GetProcessHeap,GetSystemMetrics,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,closesocket,closesocket,memset,SetLastError,GetTempPathW,GetLastError,GetLastError,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessA,closesocket,GetLastError,3_2_004157AC
      Source: 8s7bEDfYhT.exe, 00000003.00000003.339808670.000000000082F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW,
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWp6
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004020C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004020C8
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004112C5 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,2_2_004112C5
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00423341 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,2_2_00423341
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0041B841 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041B841
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_004020C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004020C8
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00403994 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00403994
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0040AD9D SetUnhandledExceptionFilter,2_2_0040AD9D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_0040115C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,3_2_0040115C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00401150 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,3_2_00401150
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_004013C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,3_2_004013C9
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00434F7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_00434F7C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 3_2_00434F80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_00434F80
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeProcess created: C:\Users\user\Desktop\8s7bEDfYhT.exe 'C:\Users\user\Desktop\8s7bEDfYhT.exe' Jump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: GetLocaleInfoW,2_2_0042207D
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: EnumSystemLocalesA,2_2_0041E804
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,2_2_0041C824
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0041E82E
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,2_2_0041E8D1
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0041E895
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,2_2_00422096
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_0041C1B6
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: GetLocaleInfoA,2_2_00424A53
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,2_2_0041CAAF
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_0041E34C
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,2_2_004113CD
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,2_2_0041E463
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,2_2_0041E4FB
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: GetLocaleInfoA,2_2_00423D45
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_0041E56F
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,2_2_0041CD75
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: LCMapStringA,GetLocaleInfoW,2_2_0044CEC0
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_0041E741
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: LoadLibraryA,GetProcAddress,GetProcAddress,CreateMutexA,memset,GetUserDefaultLocaleName,LoadLibraryA,LoadLibraryA,GetProcAddress,URLDownloadToFileA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,memset,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,GetLastError,GetComputerNameW,GetDesktopWindow,GetWindowRect,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesW,GetTimeZoneInformation,GetKeyboardLayoutList,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryInfoKeyW,memset,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CloseHandle,CloseHandle,GetProcessHeap,GetSystemMetrics,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,closesocket,closesocket,memset,SetLastError,GetTempPathW,GetLastError,GetLastError,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessA,closesocket,GetLastError,3_2_004157AC
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_0040B896 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_0040B896
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeCode function: 2_2_00424116 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,2_2_00424116
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Ficker StealerShow sources
      Source: Yara matchFile source: 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 8s7bEDfYhT.exe PID: 6572, type: MEMORY
      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsDatakings
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350451817.000000000082F000.00000004.00000020.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: Update for Microsoft Office 2016 (KB3178666) 32-Bit Editioning\Exodus\exodus.walletINetCacheA
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystoreettingsB
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: Update for Microsoft Office 2016 (KB3178666) 32-Bit Editioning\Exodus\exodus.walletINetCacheA
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystoreettingsB
      Source: 8s7bEDfYhT.exe, 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystoreettingsB
      Tries to harvest and steal Bitcoin Wallet informationShow sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local StateJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Local StateJump to behavior
      Tries to steal Instant Messenger accounts or passwordsShow sources
      Source: C:\Users\user\Desktop\8s7bEDfYhT.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior

      Remote Access Functionality:

      barindex
      Yara detected Ficker StealerShow sources
      Source: Yara matchFile source: 00000003.00000002.350405837.00000000007D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 8s7bEDfYhT.exe PID: 6572, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsProcess Injection11Obfuscated Files or Information3Credentials in Registry2File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing22Credentials In Files1System Information Discovery44SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsProcess Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact