Loading ...

Play interactive tourEdit tour

Windows Analysis Report cyr8VsVRxv.exe

Overview

General Information

Sample Name:cyr8VsVRxv.exe
Analysis ID:502334
MD5:e60399a0e9761e7653376e878875ef3a
SHA1:a2d96bbe0837fcb7a1057e69c8b77960a81ae2b9
SHA256:881003326302ab243f71138e2e39517677c9117fd73e50f8989ee9b39e86407b
Tags:BitRATexeRAT
Infos:

Most interesting Screenshot:

Detection

BitRAT
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected BitRAT
Hides threads from debuggers
Machine Learning detection for sample
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cyr8VsVRxv.exe (PID: 6912 cmdline: 'C:\Users\user\Desktop\cyr8VsVRxv.exe' MD5: E60399A0E9761E7653376E878875EF3A)
    • cyr8VsVRxv.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\cyr8VsVRxv.exe' MD5: E60399A0E9761E7653376E878875EF3A)
  • cleanup

Malware Configuration

Threatname: BitRat

{"Host": "185.250.148.54", "Port": "4898", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "5e868314c93c46157fbd5b1adce630ff", "Tor Process Name": "tor"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
    00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
      00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
        Process Memory Space: cyr8VsVRxv.exe PID: 6952JoeSecurity_BitRATYara detected BitRATJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.cyr8VsVRxv.exe.400000.1.raw.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
            1.0.cyr8VsVRxv.exe.400000.2.raw.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
              1.2.cyr8VsVRxv.exe.400000.0.raw.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
                1.2.cyr8VsVRxv.exe.400000.0.unpackJoeSecurity_BitRATYara detected BitRATJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: BitRat {"Host": "185.250.148.54", "Port": "4898", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "5e868314c93c46157fbd5b1adce630ff", "Tor Process Name": "tor"}
                  Machine Learning detection for sampleShow sources
                  Source: cyr8VsVRxv.exeJoe Sandbox ML: detected
                  Source: cyr8VsVRxv.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
                  Source: cyr8VsVRxv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Binary string: C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe
                  Source: Binary string: `C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 185.250.148.54
                  Source: Joe Sandbox ViewASN Name: FIRSTDC-ASRU FIRSTDC-ASRU
                  Source: global trafficTCP traffic: 192.168.2.4:49754 -> 185.250.148.54:4898
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.54
                  Source: cyr8VsVRxv.exe, cyr8VsVRxv.exe, 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_00415782 WSARecv,1_2_00415782
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeWindows user hook set: 0 mouse low level NULLJump to behavior
                  Source: cyr8VsVRxv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_004113B91_2_004113B9
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0068C54E1_2_0068C54E
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0040EA721_2_0040EA72
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0068DCD01_2_0068DCD0
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_1_006930971_1_00693097
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_1_006B126E1_1_006B126E
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_1_0068D2971_1_0068D297
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_1_006AE3291_1_006AE329
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: String function: 00411DDD appears 171 times
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: String function: 0068A19C appears 129 times
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: String function: 0068B440 appears 34 times
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: String function: 006B9C3C appears 413 times
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: String function: 006909D0 appears 86 times
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_037C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,0_2_037C0110
                  Source: cyr8VsVRxv.exe, 00000001.00000003.747429579.0000000003316000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs cyr8VsVRxv.exe
                  Source: cyr8VsVRxv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: cyr8VsVRxv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe'
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeProcess created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe'
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeProcess created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe' Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32Jump to behavior
                  Source: classification engineClassification label: mal76.troj.evad.winEXE@3/0@0/1
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeMutant created: \Sessions\1\BaseNamedObjects\afb3e877cc714e505f82dd992f785161
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_00422D5E __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,1_2_00422D5E
                  Source: cyr8VsVRxv.exeString found in binary or memory: id-cmc-addExtensions
                  Source: cyr8VsVRxv.exeString found in binary or memory: set-addPolicy
                  Source: cyr8VsVRxv.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: cyr8VsVRxv.exeStatic file information: File size 1776128 > 1048576
                  Source: cyr8VsVRxv.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x19ce00
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: cyr8VsVRxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe
                  Source: Binary string: `C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_03649666 push ebp; iretd 0_2_0364966D
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0364A461 push cs; ret 0_2_0364A463
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0364B56E push C042A0DCh; iretd 0_2_0364B573
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0364F177 push ss; retf 0_2_0364F17A
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0364B9E7 push ebp; ret 0_2_0364B9E8
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_036498C4 push esi; iretd 0_2_036498C5
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0364B5A7 push ebx; ret 0_2_0364B5AF
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0364B1BA push esp; ret 0_2_0364B1C6
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0365048F push ss; retf 0_2_036504AE
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0068A4A9 push ecx; ret 1_2_0068A4BC
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0068B486 push ecx; ret 1_2_0068B499
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_006B9C3C push eax; ret 1_2_006B9C5A
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_006B9CDC push ecx; ret 1_2_006B9CEC
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_1_0069909D pushad ; retf 0071h1_1_006990A0
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_00584E90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00584E90
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.95314540909
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112Thread sleep count: 4452 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112Thread sleep time: -44520s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7124Thread sleep time: -35000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7128Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7088Thread sleep count: 446 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7088Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112Thread sleep time: -10322220s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 5460Thread sleep time: -10163890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 6616Thread sleep time: -20288198s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 6008Thread sleep time: -10144098s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7116Thread sleep time: -10332116s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112Thread sleep time: -61408101s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7116Thread sleep time: -61398210s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread sleep count: Count: 4452 delay: -10Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeLast function: Thread delayed
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10322220Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10163890Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10144099Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10144098Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10332116Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 61408101Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 61398210Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeWindow / User API: threadDelayed 4452Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeWindow / User API: threadDelayed 446Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_004090D7 new,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,1_2_004090D7
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10322220Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10163890Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10144099Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10144098Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 10332116Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 61408101Jump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread delayed: delay time: 61398210Jump to behavior
                  Source: cyr8VsVRxv.exe, 00000001.00000000.940880200.0000000000AEA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                  Anti Debugging:

                  barindex
                  Hides threads from debuggersShow sources
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0057F2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0057F2F0
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_00584E90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00584E90
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0040F6F5 __EH_prolog,GetProcessHeap,1_2_0040F6F5
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_036470A3 push dword ptr fs:[00000030h]0_2_036470A3
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_037C0042 push dword ptr fs:[00000030h]0_2_037C0042
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_006A482C mov eax, dword ptr fs:[00000030h]1_2_006A482C
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_0057F2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0057F2F0
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_00581390 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00581390
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0068A7EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0068A7EA
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_00694A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00694A7C
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_1_0068B743 SetUnhandledExceptionFilter,1_1_0068B743

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeMemory written: C:\Users\user\Desktop\cyr8VsVRxv.exe base: 400000 value starts with: 4D5AJump to behavior
                  Contains functionality to inject code into remote processesShow sources
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_037C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,0_2_037C0110
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeProcess created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe' Jump to behavior
                  Source: cyr8VsVRxv.exe, 00000001.00000000.936422512.0000000000AEA000.00000004.00000020.sdmpBinary or memory string: Program Managerc
                  Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: cyr8VsVRxv.exe, 00000001.00000003.916727219.00000000033C9000.00000004.00000001.sdmpBinary or memory string: Program Managerrr
                  Source: cyr8VsVRxv.exe, 00000001.00000000.942578555.00000000033C9000.00000004.00000001.sdmpBinary or memory string: Program ManagerVtr
                  Source: cyr8VsVRxv.exe, 00000001.00000000.936422512.0000000000AEA000.00000004.00000020.sdmpBinary or memory string: Program Managerw
                  Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: cyr8VsVRxv.exe, 00000001.00000000.942578555.00000000033C9000.00000004.00000001.sdmpBinary or memory string: Program Manager8u`
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: EnumSystemLocalesW,1_1_006AB108
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: EnumSystemLocalesW,1_1_006B4238
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: EnumSystemLocalesW,1_1_006B4283
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: EnumSystemLocalesW,1_1_006B431E
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 1_2_0040EA72 cpuid 1_2_0040EA72
                  Source: C:\Users\user\Desktop\cyr8VsVRxv.exeCode function: 0_2_00585D60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00585D60

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected BitRATShow sources
                  Source: Yara matchFile source: 1.0.cyr8VsVRxv.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cyr8VsVRxv.exe.400000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cyr8VsVRxv.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cyr8VsVRxv.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cyr8VsVRxv.exe PID: 6952, type: MEMORYSTR

                  Remote Access Functionality:

                  barindex
                  Yara detected BitRATShow sources
                  Source: Yara matchFile source: 1.0.cyr8VsVRxv.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cyr8VsVRxv.exe.400000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cyr8VsVRxv.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cyr8VsVRxv.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cyr8VsVRxv.exe PID: 6952, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection212Virtualization/Sandbox Evasion131Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection212LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery121SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery23Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language