Loading ...

Play interactive tourEdit tour

Windows Analysis Report GimmerBot.exe

Overview

General Information

Sample Name:GimmerBot.exe
Analysis ID:478824
MD5:dbde99c0ef07b4c3e3339189b950f9d1
SHA1:c85e474225c32359054e96e81f7c3d16a85cc65d
SHA256:dda8e5e4b93708ef5042d3e46027670a9ffa93f4c18646d0e48b13f8d1b013fe
Tags:bitbucketorgexe
Infos:

Most interesting Screenshot:

Detection

Grandsteal
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Grandsteal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains method to dynamically call methods (often used by packers)
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • GimmerBot.exe (PID: 5148 cmdline: 'C:\Users\user\Desktop\GimmerBot.exe' MD5: DBDE99C0EF07B4C3E3339189B950F9D1)
    • GimmerBot.exe (PID: 1400 cmdline: {path} MD5: DBDE99C0EF07B4C3E3339189B950F9D1)
  • cleanup

Malware Configuration

Threatname: Grandsteal

{"C2 url": ["195.2.75.10:2012"], "Bot Id": "fbgimmer"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpJoeSecurity_GrandstealYara detected GrandstealJoe Security
    00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x6950:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpJoeSecurity_GrandstealYara detected GrandstealJoe Security
        00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.GimmerBot.exe.400000.0.unpackJoeSecurity_GrandstealYara detected GrandstealJoe Security
            4.2.GimmerBot.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.GimmerBot.exe.44e3728.3.unpackJoeSecurity_GrandstealYara detected GrandstealJoe Security
                1.2.GimmerBot.exe.44e3728.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.GimmerBot.exe.44e3728.3.raw.unpackJoeSecurity_GrandstealYara detected GrandstealJoe Security
                    Click to see the 1 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 4.2.GimmerBot.exe.400000.0.unpackMalware Configuration Extractor: Grandsteal {"C2 url": ["195.2.75.10:2012"], "Bot Id": "fbgimmer"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: GimmerBot.exeVirustotal: Detection: 64%Perma Link
                    Source: GimmerBot.exeReversingLabs: Detection: 55%
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: GimmerBot.exeAvira: detected
                    Antivirus detection for URL or domainShow sources
                    Source: https://f.tsuyogari.ru/192843027.exeAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: https://f.tsuyogari.ru/192843027.exeVirustotal: Detection: 12%Perma Link
                    Source: GimmerBot.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: GimmerBot.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4x nop then jmp 01537631h1_2_0153750F
                    Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
                    Source: global trafficTCP traffic: 192.168.2.7:49705 -> 195.2.75.10:2012
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.75.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.75.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.75.10
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
                    Source: GimmerBot.exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                    Source: GimmerBot.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: GimmerBot.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: GimmerBot.exeString found in binary or memory: http://crl.globalsign.net/root.crl0
                    Source: GimmerBot.exeString found in binary or memory: http://crl.globalsign.net/root.crl0O
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
                    Source: GimmerBot.exeString found in binary or memory: http://ocsp.globalsign.com/ExtendedSSLSHA256CACross0
                    Source: GimmerBot.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: GimmerBot.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: GimmerBot.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: GimmerBot.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://stackoverflow.com/q/11564914;
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://stackoverflow.com/q/14436606/
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://stackoverflow.com/q/2152978/23354sCannot
                    Source: GimmerBot.exeString found in binary or memory: http://www.globalsign.net/repository/03
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://f.tsuyogari.ru/192843027.exe
                    Source: GimmerBot.exeString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: GimmerBot.exeString found in binary or memory: https://www.globalsign.com/repository/03
                    Source: GimmerBot.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
                    Source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_0153E4601_2_0153E460
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_0153DA681_2_0153DA68
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_0153D2181_2_0153D218
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_0153B2F01_2_0153B2F0
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_0153C6A81_2_0153C6A8
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_015308781_2_01530878
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_015308881_2_01530888
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_01536A511_2_01536A51
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_01536A601_2_01536A60
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_015392C81_2_015392C8
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_01530AF81_2_01530AF8
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E653034_2_00E65303
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E615404_2_00E61540
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E659584_2_00E65958
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E62D584_2_00E62D58
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E630804_2_00E63080
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E6153F4_2_00E6153F
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 4_2_00E63E2B4_2_00E63E2B
                    Source: GimmerBot.exe, 00000001.00000002.249651027.0000000003685000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegimmer.exe4 vs GimmerBot.exe
                    Source: GimmerBot.exe, 00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs GimmerBot.exe
                    Source: GimmerBot.exe, 00000004.00000002.504115974.0000000000EBA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GimmerBot.exe
                    Source: GimmerBot.exe, 00000004.00000000.247105439.00000000006E6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegimmer.exe4 vs GimmerBot.exe
                    Source: GimmerBot.exeBinary or memory string: OriginalFilenamegimmer.exe4 vs GimmerBot.exe
                    Source: GimmerBot.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: GimmerBot.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: GimmerBot.exeStatic PE information: invalid certificate
                    Source: GimmerBot.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: GimmerBot.exeVirustotal: Detection: 64%
                    Source: GimmerBot.exeReversingLabs: Detection: 55%
                    Source: GimmerBot.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\GimmerBot.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\GimmerBot.exe 'C:\Users\user\Desktop\GimmerBot.exe'
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess created: C:\Users\user\Desktop\GimmerBot.exe {path}
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess created: C:\Users\user\Desktop\GimmerBot.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GimmerBot.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
                    Source: C:\Users\user\Desktop\GimmerBot.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\GimmerBot.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: GimmerBot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: GimmerBot.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Data Obfuscation:

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)Show sources
                    Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_015355A7 push es; retf 1_2_015355A8
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.84895459195
                    Source: GimmerBot.exe, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.csHigh entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
                    Source: GimmerBot.exe, Lab1/FormLab1.csHigh entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
                    Source: GimmerBot.exe, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.csHigh entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
                    Source: GimmerBot.exe, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.csHigh entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
                    Source: GimmerBot.exe, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.csHigh entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
                    Source: GimmerBot.exe, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.csHigh entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
                    Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csHigh entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
                    Source: GimmerBot.exe, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.csHigh entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
                    Source: GimmerBot.exe, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.csHigh entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.csHigh entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, Lab1/FormLab1.csHigh entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.csHigh entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.csHigh entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.csHigh entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.csHigh entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.csHigh entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.csHigh entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
                    Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csHigh entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.csHigh entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, Lab1/FormLab1.csHigh entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.csHigh entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.csHigh entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.csHigh entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.csHigh entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.csHigh entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csHigh entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
                    Source: 1.0.GimmerBot.exe.bd0000.0.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.csHigh entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.csHigh entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, Lab1/FormLab1.csHigh entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.csHigh entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.csHigh entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.csHigh entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.csHigh entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csHigh entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.csHigh entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
                    Source: 4.0.GimmerBot.exe.610000.0.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.csHigh entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.csHigh entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.csHigh entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, Lab1/FormLab1.csHigh entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.csHigh entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.csHigh entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.csHigh entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.csHigh entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.csHigh entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
                    Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.csHigh entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\GimmerBot.exe TID: 2388Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1156Thread sleep count: 48 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1156Thread sleep count: 137 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1300Thread sleep count: 1022 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1300Thread sleep time: -102200s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\GimmerBot.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\GimmerBot.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeWindow / User API: threadDelayed 1022Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeThread delayed: delay time: 41000Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpBinary or memory string: VMwareVMware
                    Source: GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmpBinary or memory string: VMWare
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: GimmerBot.exe, 00000004.00000002.504163783.0000000000EE1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                    Anti Debugging:

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                    Source: C:\Users\user\Desktop\GimmerBot.exeCode function: 1_2_0153C508 CheckRemoteDebuggerPresent,1_2_0153C508
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeProcess created: C:\Users\user\Desktop\GimmerBot.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeQueries volume information: C:\Users\user\Desktop\GimmerBot.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeQueries volume information: C:\Users\user\Desktop\GimmerBot.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GimmerBot.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected GrandstealShow sources
                    Source: Yara matchFile source: 4.2.GimmerBot.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.GimmerBot.exe.44e3728.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.GimmerBot.exe.44e3728.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GimmerBot.exe PID: 1400, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpString found in binary or memory: Exodus#\Electrum\wallets
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpString found in binary or memory: Bytecoin+\Exodus\exodus.wallet
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpString found in binary or memory: Electrum#\Ethereum\wallets
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpString found in binary or memory: Bytecoin+\Exodus\exodus.wallet
                    Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmpString found in binary or memory: Electrum#\Ethereum\wallets
                    Source: GimmerBot.exeString found in binary or memory: set_UseMachineKeyStore
                    Source: Yara matchFile source: 4.2.GimmerBot.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.GimmerBot.exe.44e3728.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.GimmerBot.exe.44e3728.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GimmerBot.exe PID: 1400, type: MEMORYSTR

                    Remote Access Functionality:

                    barindex
                    Yara detected GrandstealShow sources
                    Source: Yara matchFile source: 4.2.GimmerBot.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.GimmerBot.exe.44e3728.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.GimmerBot.exe.44e3728.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GimmerBot.exe PID: 1400, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size Li