Windows Analysis Report 7d9bXpW0im.exe

Overview

General Information

Sample Name: 7d9bXpW0im.exe
Analysis ID: 458956
MD5: 0f838cf9ac70e706ab24f4555618186c
SHA1: 01ab9926ff27f0d253d63fe34c743bbbab05ee8f
SHA256: b1445b8206b5f2f15cd8d9a7bb8e0b551491ed72cb07ccb5f2a1f877b084396c
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Yara detected RedLine Stealer
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 7d9bXpW0im.exe Virustotal: Detection: 30% Perma Link
Source: 7d9bXpW0im.exe Metadefender: Detection: 25% Perma Link
Source: 7d9bXpW0im.exe ReversingLabs: Detection: 53%
Machine Learning detection for sample
Source: 7d9bXpW0im.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 7d9bXpW0im.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 7d9bXpW0im.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Users\user\Desktop\7d9bXpW0im.exe DNS query: victairatu.xyz
Source: C:\Users\user\Desktop\7d9bXpW0im.exe DNS query: victairatu.xyz
Source: C:\Users\user\Desktop\7d9bXpW0im.exe DNS query: victairatu.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: victairatu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: victairatu.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: victairatu.xyzContent-Length: 12087Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: victairatu.xyzContent-Length: 12079Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NANO-ASLV NANO-ASLV
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: victairatu.xyz
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: victairatu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: 7d9bXpW0im.exe, 00000001.00000002.257942560.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 7d9bXpW0im.exe, 00000001.00000002.257668290.0000000002370000.00000004.00000001.sdmp, 7d9bXpW0im.exe, 00000001.00000002.257682885.0000000002379000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 7d9bXpW0im.exe, 00000001.00000002.257682885.0000000002379000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultx)4
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 7d9bXpW0im.exe, 00000001.00000002.257668290.0000000002370000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/0
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 7d9bXpW0im.exe, 00000001.00000002.258017733.000000000257C000.00000004.00000001.sdmp, 7d9bXpW0im.exe, 00000001.00000002.257698432.000000000239F000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 7d9bXpW0im.exe, 00000001.00000002.257942560.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 7d9bXpW0im.exe, 00000001.00000002.257682885.0000000002379000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/t_
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://victairatu.xyz
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://victairatu.xyz/
Source: 7d9bXpW0im.exe, 00000001.00000002.257942560.00000000024E1000.00000004.00000001.sdmp String found in binary or memory: http://victairatu.xyz4
Source: 7d9bXpW0im.exe, 00000001.00000002.258017733.000000000257C000.00000004.00000001.sdmp String found in binary or memory: http://victairatu.xyz4/l
Source: 7d9bXpW0im.exe, 00000001.00000002.257632604.0000000002321000.00000004.00000001.sdmp String found in binary or memory: http://victairatu.xyz:80/
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 7d9bXpW0im.exe, 00000001.00000002.257682885.0000000002379000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: 7d9bXpW0im.exe, 00000001.00000002.261102430.0000000009D70000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 7d9bXpW0im.exe, 00000001.00000002.257682885.0000000002379000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb4/l
Source: 7d9bXpW0im.exe, 00000001.00000002.261102430.0000000009D70000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, 7d9bXpW0im.exe, 00000001.00000003.250811151.000000000E791000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7d9bXpW0im.exe, 00000001.00000003.250811151.000000000E791000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabp
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, 7d9bXpW0im.exe, 00000001.00000003.250811151.000000000E791000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: 7d9bXpW0im.exe, 00000001.00000002.261102430.0000000009D70000.00000004.00000001.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 7d9bXpW0im.exe, 00000001.00000002.257731627.00000000023B7000.00000004.00000001.sdmp, 7d9bXpW0im.exe, 00000001.00000002.257721673.00000000023B3000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 7d9bXpW0im.exe, 00000001.00000002.258385381.00000000027A3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: 7d9bXpW0im.exe, 00000001.00000002.257837993.000000000249F000.00000004.00000001.sdmp, tmp2CF9.tmp.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary:

barindex
PE file contains section with special chars
Source: 7d9bXpW0im.exe Static PE information: section name: vMF<;
PE file has nameless sections
Source: 7d9bXpW0im.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009028A8 1_2_009028A8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009018D1 1_2_009018D1
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00907074 1_2_00907074
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090B350 1_2_0090B350
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009064A8 1_2_009064A8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009024E1 1_2_009024E1
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090A418 1_2_0090A418
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00907C40 1_2_00907C40
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090BD00 1_2_0090BD00
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00902898 1_2_00902898
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009090B9 1_2_009090B9
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009030A0 1_2_009030A0
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009020DB 1_2_009020DB
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009090C8 1_2_009090C8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090B00F 1_2_0090B00F
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090B073 1_2_0090B073
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009031B0 1_2_009031B0
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090B1A3 1_2_0090B1A3
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090D9E8 1_2_0090D9E8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090B11C 1_2_0090B11C
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090BA98 1_2_0090BA98
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090BA89 1_2_0090BA89
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009022D5 1_2_009022D5
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00902202 1_2_00902202
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00901B99 1_2_00901B99
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009063B1 1_2_009063B1
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00907BA4 1_2_00907BA4
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00901BA8 1_2_00901BA8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009023C4 1_2_009023C4
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009063C7 1_2_009063C7
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00905CD6 1_2_00905CD6
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00905C58 1_2_00905C58
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00908C68 1_2_00908C68
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009085B8 1_2_009085B8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009025BA 1_2_009025BA
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090ADA6 1_2_0090ADA6
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009025F2 1_2_009025F2
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090ADFE 1_2_0090ADFE
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00902514 1_2_00902514
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AD21 1_2_0090AD21
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AD70 1_2_0090AD70
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AED6 1_2_0090AED6
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AE1D 1_2_0090AE1D
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AE65 1_2_0090AE65
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00901F80 1_2_00901F80
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090CFC8 1_2_0090CFC8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AFC8 1_2_0090AFC8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AF07 1_2_0090AF07
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0090AF36 1_2_0090AF36
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043B44C8 1_2_043B44C8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043B5F40 1_2_043B5F40
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043B8FA0 1_2_043B8FA0
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043B72F8 1_2_043B72F8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043B42F8 1_2_043B42F8
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043B72F7 1_2_043B72F7
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043BF387 1_2_043BF387
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0D2ED288 1_2_0D2ED288
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0D2EC990 1_2_0D2EC990
Sample file is different than original file name gathered from version info
Source: 7d9bXpW0im.exe Binary or memory string: OriginalFilename vs 7d9bXpW0im.exe
Source: 7d9bXpW0im.exe, 00000001.00000002.256828602.00000000000C6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVentails.exe4 vs 7d9bXpW0im.exe
Source: 7d9bXpW0im.exe, 00000001.00000002.261153779.0000000009DB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs 7d9bXpW0im.exe
Source: 7d9bXpW0im.exe Binary or memory string: OriginalFilenameVentails.exe4 vs 7d9bXpW0im.exe
Uses 32bit PE files
Source: 7d9bXpW0im.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 7d9bXpW0im.exe Static PE information: Section: vMF<; ZLIB complexity 1.0003504136
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/21@5/1
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File created: C:\Users\user\AppData\Local\Yandex Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File created: C:\Users\user\AppData\Local\Temp\tmpB150.tmp Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 7d9bXpW0im.exe Virustotal: Detection: 30%
Source: 7d9bXpW0im.exe Metadefender: Detection: 25%
Source: 7d9bXpW0im.exe ReversingLabs: Detection: 53%
Source: unknown Process created: C:\Users\user\Desktop\7d9bXpW0im.exe 'C:\Users\user\Desktop\7d9bXpW0im.exe'
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 7d9bXpW0im.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 7d9bXpW0im.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Unpacked PE file: 1.2.7d9bXpW0im.exe.90000.0.unpack vMF<;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
PE file contains sections with non-standard names
Source: 7d9bXpW0im.exe Static PE information: section name: vMF<;
Source: 7d9bXpW0im.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_000B6F6C push esi; iretd 1_2_000B6F74
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_000B56DF push 00000004h; iretd 1_2_000B56E1
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_009039CC push ss; ret 1_2_009039CD
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_00904C97 push esi; iretd 1_2_00904CA2
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_043BB180 push cs; ret 1_2_043BB1B4
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Code function: 1_2_0D2EEF40 push ecx; ret 1_2_0D2EEF52
Source: initial sample Static PE information: section name: vMF<; entropy: 7.99898892703
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Window / User API: threadDelayed 1175 Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Window / User API: threadDelayed 7520 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\7d9bXpW0im.exe TID: 5576 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 7d9bXpW0im.exe, 00000001.00000002.262130265.000000000E72D000.00000004.00000001.sdmp Binary or memory string: VMware
Source: 7d9bXpW0im.exe, 00000001.00000002.262130265.000000000E72D000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware4OEY_54OWin32_VideoController8UG9S
Source: 7d9bXpW0im.exe, 00000001.00000002.262093087.000000000E70E000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware4OEY_54OWin32_VideoController8UG9SXA3VideoController120060621000000.000000-00008697421display.infMSBD:L
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Memory allocated: page read and write | page guard Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Users\user\Desktop\7d9bXpW0im.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: 7d9bXpW0im.exe, 00000001.00000002.257227486.00000000006BF000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\7d9bXpW0im.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 1.2.7d9bXpW0im.exe.9d70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.261102430.0000000009D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7d9bXpW0im.exe PID: 3440, type: MEMORYSTR
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\7d9bXpW0im.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 7d9bXpW0im.exe PID: 3440, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 1.2.7d9bXpW0im.exe.9d70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.261102430.0000000009D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7d9bXpW0im.exe PID: 3440, type: MEMORYSTR
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458956 Sample: 7d9bXpW0im.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected RedLine Stealer 2->21 23 Yara detected RedLine Stealer 2->23 25 3 other signatures 2->25 6 7d9bXpW0im.exe 15 26 2->6         started        process3 dnsIp4 15 victairatu.xyz 141.136.0.194, 49731, 49737, 49738 NANO-ASLV Latvia 6->15 17 api.ip.sb 6->17 13 C:\Users\user\AppData\...\7d9bXpW0im.exe.log, ASCII 6->13 dropped 27 Detected unpacking (changes PE section rights) 6->27 29 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->29 31 Performs DNS queries to domains with low reputation 6->31 33 3 other signatures 6->33 11 conhost.exe 6->11         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.136.0.194
 victairatu.xyz Latvia
43513 NANO-ASLV true

Contacted Domains

Name IP Active
victairatu.xyz 141.136.0.194 true
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://victairatu.xyz/ false
  • Avira URL Cloud: safe
 unknown