Play interactive tour

Edit tour

Windows Analysis Report gmAszjZqKD.exe

Overview

General Information

Sample Name:	gmAszjZqKD.exe
Analysis ID:	435329
MD5:	a8fcf9f01f6ac912a38cb17e59eb1ed0
SHA1:	40072436d5bd265261bcf0bfd5cfbb046e70a97a
SHA256:	9d56ad7e390d35d3fcf2bc03ac7b38e5efeee12e8bbc2917a375e6cf8c65d69f
Tags:	AveMariaRATexeRAT
Infos:
Errors Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

AveMaria UACMe

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Contains functionality to hide user accounts

Machine Learning detection for sample

Installs a raw input device (often for capturing keystrokes)

PE file contains executable resources (Code or Archives)

PE file overlay found

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
gmAszjZqKD.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
gmAszjZqKD.exe	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
gmAszjZqKD.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
gmAszjZqKD.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
gmAszjZqKD.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
gmAszjZqKD.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
gmAszjZqKD.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: gmAszjZqKD.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: gmAszjZqKD.exe	Virustotal: Detection: 72%			Perma Link
Source: gmAszjZqKD.exe	ReversingLabs: Detection: 89%

Yara detected AveMaria stealer

Show sources

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Machine Learning detection for sample

Show sources

Source: gmAszjZqKD.exe

Joe Sandbox ML: detected

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Source: gmAszjZqKD.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: gmAszjZqKD.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: gmAszjZqKD.exe

String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: gmAszjZqKD.exe

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Author: unknown

Source: gmAszjZqKD.exe

Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: gmAszjZqKD.exe

Static PE information: Data appended to the last section found

Source: gmAszjZqKD.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal88.troj.expl.winEXE@0/0@0/0

Source: gmAszjZqKD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: gmAszjZqKD.exe	Virustotal: Detection: 72%
Source: gmAszjZqKD.exe	ReversingLabs: Detection: 89%

Source: gmAszjZqKD.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: gmAszjZqKD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Show sources

Source: gmAszjZqKD.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gmAszjZqKD.exe	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Hidden Users1	Input Capture11	System Service Discovery	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gmAszjZqKD.exe	72%	Virustotal		Browse
gmAszjZqKD.exe	90%	ReversingLabs	Win32.Backdoor.Remcos
gmAszjZqKD.exe	100%	Avira	TR/Redcap.ghjpt
gmAszjZqKD.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/syohex/java-simple-mine-sweeperC:	gmAszjZqKD.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	435329
Start date:	16.06.2021
Start time:	12:28:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gmAszjZqKD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.expl.winEXE@0/0@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Unable to launch sample, stop analysis
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
Errors:	Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.3223585086508205
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gmAszjZqKD.exe
File size:	112035
MD5:	a8fcf9f01f6ac912a38cb17e59eb1ed0
SHA1:	40072436d5bd265261bcf0bfd5cfbb046e70a97a
SHA256:	9d56ad7e390d35d3fcf2bc03ac7b38e5efeee12e8bbc2917a375e6cf8c65d69f
SHA512:	e59eb3818a70cb1fbf3b0463622faec08320109d1791aaf7c7052ecd1dfec3ed1c7e645aa54f02f773367989b2f6031e8b1962fd548ff7ef00e8e4475d26005d
SSDEEP:	1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE013:K1VmhaH8EFvW+0OVE0h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3..?<..7D..?<...3..<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><.........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x405ce2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F49FB9C [Sat Aug 29 06:54:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	51a1d638436da72d7fa5fb524e02d427

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [004141E8h]
mov ecx, eax
mov al, byte ptr [ecx]
cmp al, 22h
jne 00007F9C8096790Ah
inc ecx
mov dl, byte ptr [ecx]
test dl, dl
je 00007F9C809678F3h
mov al, dl
mov dl, al
cmp al, 22h
je 00007F9C809678EBh
inc ecx
mov dl, byte ptr [ecx]
mov al, dl
test dl, dl
jne 00007F9C809678D3h
lea eax, dword ptr [ecx+01h]
cmp dl, 00000022h
cmovne eax, ecx
mov ecx, eax
jmp 00007F9C809678F0h
inc ecx
mov al, byte ptr [ecx]
cmp al, 20h
jnle 00007F9C809678DBh
jmp 00007F9C809678E9h
cmp al, 20h
jnle 00007F9C809678E9h
inc ecx
mov al, byte ptr [ecx]
test al, al
jne 00007F9C809678D7h
and dword ptr [ebp-18h], 00000000h
lea eax, dword ptr [ebp-44h]
push eax
call dword ptr [00414140h]
call 00007F9C80967912h
mov edx, 0041902Ch
mov ecx, 00419000h
call 00007F9C80967930h
push 00000000h
call dword ptr [004141ECh]
push ecx
push ecx
call 00007F9C80974FB9h
mov esi, eax
call 00007F9C80967902h
push esi
call dword ptr [004141F0h]
int3
mov dword ptr [0054DB64h], 00000020h
call 00007F9C809677F4h
mov dword ptr [0054D0E4h], eax
ret
mov eax, dword ptr [0054E01Ch]
test eax, eax
je 00007F9C809678F0h
mov ecx, dword ptr [0054D0E4h]
lea edx, dword ptr [ecx+eax*4]
jmp 00007F9C809678E6h
ret
push ebx
push esi
push edi
mov edi, ecx
mov esi, edx
sub esi, edi
xor eax, eax
add esi, 00000000h

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) build 3077
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1771c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x2c70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x152000	0xfa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x175a0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x14000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12eab	0x13000	False	0.574822676809	data	6.49494739154	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x14000	0x49ce	0x4a00	False	0.404666385135	data	5.28154165346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x1350d8	0x600	False	0.570963541667	data	4.99296329391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14f000	0x2c70	0x2e00	False	0.327785326087	data	3.95871566709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x152000	0xfa8	0x1000	False	0.926960257787	data	6.58382237931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x153000	0x1000	0x200	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
WM_DSP	0x14f070	0x2c00	PE32 executable (GUI) Intel 80386, for MS Windows	English	India

Imports

DLL	Import
bcrypt.dll	BCryptSetProperty, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptDecrypt
KERNEL32.dll	HeapFree, VirtualAlloc, HeapReAlloc, VirtualQuery, TerminateThread, CreateThread, WriteProcessMemory, GetCurrentProcess, OpenProcess, GetWindowsDirectoryA, VirtualProtectEx, VirtualAllocEx, CreateRemoteThread, CreateProcessA, GetModuleHandleW, IsWow64Process, WriteFile, CreateFileW, LoadLibraryW, GetLocalTime, GetCurrentThreadId, GetCurrentProcessId, ReadFile, FindFirstFileA, GetBinaryTypeW, FindNextFileA, GetFullPathNameA, GetTempPathW, GetPrivateProfileStringW, CreateFileA, GlobalAlloc, GetCurrentDirectoryW, SetCurrentDirectoryW, GetFileSize, FreeLibrary, SetDllDirectoryW, GetFileSizeEx, LoadLibraryA, LocalFree, WaitForSingleObject, WaitForMultipleObjects, CreatePipe, PeekNamedPipe, DuplicateHandle, SetEvent, GetStartupInfoA, CreateEventA, GetModuleFileNameW, LoadResource, FindResourceW, GetComputerNameW, GlobalMemoryStatusEx, LoadLibraryExW, FindFirstFileW, FindNextFileW, SetFilePointer, GetLogicalDriveStringsW, DeleteFileW, CopyFileW, GetDriveTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetProcessHeap, ReleaseMutex, TerminateProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, SizeofResource, VirtualProtect, GetSystemDirectoryW, LockResource, GetWindowsDirectoryW, Process32First, Process32Next, WinExec, GetTempPathA, HeapAlloc, lstrcmpW, GetTickCount, lstrcpyW, WideCharToMultiByte, lstrcpyA, Sleep, MultiByteToWideChar, GetCommandLineA, GetModuleHandleA, ExitProcess, CreateProcessW, lstrcatA, lstrcmpA, lstrlenA, ExpandEnvironmentStringsW, lstrlenW, CloseHandle, lstrcatW, GetLastError, VirtualFree, GetProcAddress, SetLastError, GetModuleFileNameA, CreateDirectoryW, LocalAlloc, CreateMutexA
USER32.dll	GetKeyState, GetMessageA, DispatchMessageA, CreateWindowExW, CallNextHookEx, GetAsyncKeyState, RegisterClassW, GetRawInputData, MapVirtualKeyA, DefWindowProcA, RegisterRawInputDevices, TranslateMessage, GetForegroundWindow, GetKeyNameTextW, PostQuitMessage, MessageBoxA, GetLastInputInfo, wsprintfW, GetWindowTextW, wsprintfA, ToUnicode
ADVAPI32.dll	RegDeleteKeyW, RegCreateKeyExW, RegSetValueExA, RegDeleteValueW, LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, OpenProcessToken, InitializeSecurityDescriptor, RegDeleteKeyA, SetSecurityDescriptorDacl, RegOpenKeyExW, RegOpenKeyExA, RegEnumKeyExW, RegQueryValueExA, RegQueryInfoKeyW, RegCloseKey, OpenServiceW, ChangeServiceConfigW, QueryServiceConfigW, EnumServicesStatusExW, StartServiceW, RegSetValueExW, RegCreateKeyExA, OpenSCManagerW, CloseServiceHandle, GetTokenInformation, LookupAccountSidW, FreeSid, RegQueryValueExW
SHELL32.dll	ShellExecuteExA, ShellExecuteExW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, ShellExecuteW, SHGetFolderPathW, SHGetKnownFolderPath
urlmon.dll	URLDownloadToFileW
WS2_32.dll	htons, recv, connect, socket, send, WSAStartup, shutdown, closesocket, WSACleanup, InetNtopW, gethostbyname, inet_addr, getaddrinfo, setsockopt, freeaddrinfo
ole32.dll	CoInitializeSecurity, CoCreateInstance, CoInitialize, CoUninitialize, CoTaskMemFree
SHLWAPI.dll	StrStrW, PathRemoveFileSpecA, StrStrA, PathCombineA, PathFindFileNameW, PathFileExistsW, PathFindExtensionW
NETAPI32.dll	NetLocalGroupAddMembers, NetUserAdd
OLEAUT32.dll	VariantInit
CRYPT32.dll	CryptUnprotectData, CryptStringToBinaryA, CryptStringToBinaryW
PSAPI.DLL	GetModuleFileNameExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	India

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report gmAszjZqKD.exe

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Exploits:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Disassembly