Windows Analysis Report KnZsSmDyF3.exe

Overview

General Information

Sample Name: KnZsSmDyF3.exe
Analysis ID: 452449
MD5: aa717550158faf72a3776ce7115f80d3
SHA1: 6d0bbf0b16b7f9e5948c18f488b5428b329821f3
SHA256: b61998322190573353437177fd9a48263cae5d867055800d86b5fcf006253fdc
Tags: exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack Malware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://telete.in/jagressor_kz", "Bot ID": "cd8dc1031358b1aec55cc6bc447df1018b068607", "RC4_key1": "$Z2s`ten\\@bE9vzR"}
Multi AV Scanner detection for domain / URL
Source: telete.in Virustotal: Detection: 12% Perma Link
Source: https://telete.in/jagressor_kz Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: KnZsSmDyF3.exe Virustotal: Detection: 62% Perma Link
Source: KnZsSmDyF3.exe Metadefender: Detection: 28% Perma Link
Source: KnZsSmDyF3.exe ReversingLabs: Detection: 75%
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY
Machine Learning detection for sample
Source: KnZsSmDyF3.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040CD04 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 1_2_0040CD04
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040EE22 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 1_2_0040EE22
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040D407 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 1_2_0040D407
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004274BC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 1_2_004274BC
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0042768F lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 1_2_0042768F
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040DE52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, 1_2_0040DE52
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040C12D __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 1_2_0040C12D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041E61E __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot, 1_2_0041E61E

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Unpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack
Uses 32bit PE files
Source: KnZsSmDyF3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: .C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043BDC7 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 1_2_0043BDC7
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004329F2 __EH_prolog,GetLogicalDriveStringsA, 1_2_004329F2
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://telete.in/jagressor_kz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 09:28:00 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Sat, 10 Jul 2021 15:08:06 GMTETag: "60e9b7d6-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.228.114.197
Source: global traffic HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: global traffic HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1392Host: 94.228.114.197
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 09:28:04 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Sat, 10 Jul 2021 15:08:05 GMTETag: "60e9b7d5-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: global traffic HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: global traffic HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: unknown DNS traffic detected: queries for: telete.in
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.228.114.197
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197/
Source: KnZsSmDyF3.exe, 00000001.00000003.207802227.0000000000D56000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f277U
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f=jsonoL
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f2y
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f4
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197/2t
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197/I_
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197/S
Source: KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp String found in binary or memory: http://94.228.114.197/dhHq
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: softokn3.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0Y
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3.dll.1.dr String found in binary or memory: http://www.mozilla.com0
Source: sqlite3.dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=pV
Source: KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219853041.0000000000DB0000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp String found in binary or memory: https://telete.in/jagressor_kz
Source: KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp String found in binary or memory: https://telete.in/jagressor_kzn-
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: https://telete.in/org/img/t_logo.png
Source: KnZsSmDyF3.exe, 00000001.00000002.220797019.000000004C8CD000.00000004.00000001.sdmp String found in binary or memory: https://wa228.114.197/
Source: softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: KnZsSmDyF3.exe, 00000001.00000003.217777569.0000000000DC3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0H
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0n_
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0renc
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: 1xVPfvJcrg.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.3:49718 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

System Summary:

barindex
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043C3A8: DeviceIoControl,GetLastError, 1_2_0043C3A8
Detected potential crypto function
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004340F3 1_2_004340F3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043454E 1_2_0043454E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040C72C 1_2_0040C72C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041E7C4 1_2_0041E7C4
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040CD04 1_2_0040CD04
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040EE22 1_2_0040EE22
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043AFE4 1_2_0043AFE4
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00432F9D 1_2_00432F9D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040D407 1_2_0040D407
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041D425 1_2_0041D425
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00427858 1_2_00427858
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0042982C 1_2_0042982C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040DE52 1_2_0040DE52
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041DE02 1_2_0041DE02
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004400D5 1_2_004400D5
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00448140 1_2_00448140
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0044617A 1_2_0044617A
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00458139 1_2_00458139
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00458259 1_2_00458259
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0042837C 1_2_0042837C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041C315 1_2_0041C315
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004623DB 1_2_004623DB
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004203FE 1_2_004203FE
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00440390 1_2_00440390
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043A492 1_2_0043A492
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041656D 1_2_0041656D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00440AC0 1_2_00440AC0
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00414A8F 1_2_00414A8F
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0045AC8D 1_2_0045AC8D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00416E0E 1_2_00416E0E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041AE2C 1_2_0041AE2C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0044AF58 1_2_0044AF58
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: String function: 004656D0 appears 127 times
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: String function: 0044CDB9 appears 33 times
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: String function: 0043DE50 appears 40 times
PE file contains more sections than normal
Source: sqlite3.dll.1.dr Static PE information: Number of sections : 18 > 10
PE file contains strange resources
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000002.221075413.000000006E2FB000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000002.220859964.000000006E1A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000003.217738997.000000004C8D5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000002.220053335.0000000002750000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KnZsSmDyF3.exe
Uses 32bit PE files
Source: KnZsSmDyF3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: KnZsSmDyF3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/66@1/2
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00427783 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 1_2_00427783
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Command line argument: MF 1_2_00464D40
Source: KnZsSmDyF3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.1.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: KnZsSmDyF3.exe Virustotal: Detection: 62%
Source: KnZsSmDyF3.exe Metadefender: Detection: 28%
Source: KnZsSmDyF3.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: KnZsSmDyF3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: .C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Unpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Unpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack
Binary contains a suspicious time stamp
Source: ucrtbase.dll.1.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004317EF LoadLibraryA,GetProcAddress,FreeLibrary, 1_2_004317EF
PE file contains sections with non-standard names
Source: sqlite3.dll.1.dr Static PE information: section name: /4
Source: sqlite3.dll.1.dr Static PE information: section name: /19
Source: sqlite3.dll.1.dr Static PE information: section name: /31
Source: sqlite3.dll.1.dr Static PE information: section name: /45
Source: sqlite3.dll.1.dr Static PE information: section name: /57
Source: sqlite3.dll.1.dr Static PE information: section name: /70
Source: sqlite3.dll.1.dr Static PE information: section name: /81
Source: sqlite3.dll.1.dr Static PE information: section name: /92
Source: AccessibleHandler.dll.1.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.1.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.1.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.1.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.1.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.1.dr Static PE information: section name: .orpc
Source: mozglue.dll.1.dr Static PE information: section name: .didat
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0046C54A pushad ; retf 1_2_0046C701
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0046C702 pushad ; retf 1_2_0046C701
Source: initial sample Static PE information: section name: .text entropy: 7.91913577979

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0041DE02 __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0041DE02

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\breakpadinjector.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe TID: 3348 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043BDC7 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 1_2_0043BDC7
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004329F2 __EH_prolog,GetLogicalDriveStringsA, 1_2_004329F2
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043454E __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_0043454E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP>
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043E087 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0043E087
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004317EF LoadLibraryA,GetProcAddress,FreeLibrary, 1_2_004317EF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004448BD mov eax, dword ptr fs:[00000030h] 1_2_004448BD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0040C332 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 1_2_0040C332
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043E087 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0043E087
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043E1E9 SetUnhandledExceptionFilter, 1_2_0043E1E9
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_004442E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004442E1
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043E3FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0043E3FB

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_0043454E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 1_2_0042982C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_00460011
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: EnumSystemLocalesW, 1_2_00456257
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetLocaleInfoW, 1_2_0046020C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: EnumSystemLocalesW, 1_2_004602FE
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: EnumSystemLocalesW, 1_2_004602B3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: EnumSystemLocalesW, 1_2_00460399
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_00460424
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetLocaleInfoW, 1_2_00460677
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0046079D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetLocaleInfoW, 1_2_00456884
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetLocaleInfoW, 1_2_004608A3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00460972
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043E2A3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0043E2A3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_0043454E __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_0043454E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00433F35 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 1_2_00433F35
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: 1_2_00427858 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 1_2_00427858
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY
Contains functionality to steal Internet Explorer form passwords
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 1_2_00432621
Found many strings related to Crypto-Wallets (likely being stolen)
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\electrum
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\electroncash
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: heavy_ad_intervention_opt_out.db-journaly.jaxx
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum Wallet
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452449 Sample: KnZsSmDyF3.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for domain / URL 2->22 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 4 other signatures 2->28 5 KnZsSmDyF3.exe 80 2->5         started        process3 dnsIp4 18 telete.in 195.201.225.248, 443, 49718 HETZNER-ASDE Germany 5->18 20 94.228.114.197, 49720, 80 ASTRALUSDE Russian Federation 5->20 10 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\vcruntime140.dll, PE32 5->12 dropped 14 C:\Users\user\AppData\...\ucrtbase.dll, PE32 5->14 dropped 16 56 other files (none is malicious) 5->16 dropped 30 Detected unpacking (changes PE section rights) 5->30 32 Detected unpacking (overwrites its own PE header) 5->32 34 Tries to steal Mail credentials (via file access) 5->34 36 2 other signatures 5->36 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.228.114.197
 unknown Russian Federation
61333 ASTRALUSDE false
195.201.225.248
 telete.in Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
telete.in 195.201.225.248 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://telete.in/jagressor_kz true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://94.228.114.197/ false
  • Avira URL Cloud: safe
 unknown
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f false
  • Avira URL Cloud: safe
 unknown
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f false
  • Avira URL Cloud: safe
 unknown