Loading ...

Play interactive tourEdit tour

Windows Analysis Report R0xLHA2mT5.exe

Overview

General Information

Sample Name:R0xLHA2mT5.exe
Analysis ID:528072
MD5:9f3b8462c508884f6966f3ad4a275799
SHA1:6288e611de585a6dc56c6399ef03012698d60392
SHA256:a548ac73d6acb5a260cb2e1760946c37ce94d89f3cd2a5b126e266e007dfc543
Tags:exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • R0xLHA2mT5.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\R0xLHA2mT5.exe" MD5: 9F3B8462C508884F6966F3AD4A275799)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.R0xLHA2mT5.exe.22b0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.R0xLHA2mT5.exe.42a94a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000000.00000002.558633327.0000000002130000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: R0xLHA2mT5.exeMetadefender: Detection: 22%Perma Link
                  Source: R0xLHA2mT5.exeReversingLabs: Detection: 45%
                  Machine Learning detection for sampleShow sources
                  Source: R0xLHA2mT5.exeJoe Sandbox ML: detected
                  Source: 0.2.R0xLHA2mT5.exe.2130e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.2.R0xLHA2mT5.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.R0xLHA2mT5.exe.2140000.0.unpackAvira: Label: TR/Patched.Ren.Gen

                  Compliance:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeUnpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack
                  Source: R0xLHA2mT5.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2
                  Source: Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
                  Source: Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Joe Sandbox ViewIP Address: 74.6.231.21 74.6.231.21
                  Source: Joe Sandbox ViewIP Address: 87.248.100.216 87.248.100.216
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:24:25 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 12server: ATSContent-Length: 1048Age: 2Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p10fa5gpsta9&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: +www.yahoo.com; equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmpString found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'"></noscript> equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: Location: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: MUxOnew-fp-shed.wg1.b.yahoo.comwww.yahoo.comVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTK equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: com.yahoo.www. equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/6 equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/? equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/\en-US\CRYPT32.dll.muiq equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: s://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'; equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560060461.0000000004FDA000.00000004.00000010.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com- equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com5 equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com>Y equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comG equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p1
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpString found in binary or memory: https://qoderunovos.website
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.website
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/0
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/T
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/_
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/s
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.websitehttps://qoderunovos.website
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/6
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJ
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/b
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/d
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd
                  Source: unknownDNS traffic detected: queries for: yahoo.com
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B5988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,0_2_022B5988
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki
                  Source: unknownHTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559091455.000000000234A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: R0xLHA2mT5.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B836E0_2_022B836E
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B7FBE0_2_022B7FBE
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BAFC00_2_022BAFC0
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401703 NtMapViewOfSection,0_2_00401703
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,0_2_00401C90
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019A0
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_022B9A0F
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BB1E5 NtQueryVirtualMemory,0_2_022BB1E5
                  Source: R0xLHA2mT5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: R0xLHA2mT5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: R0xLHA2mT5.exeMetadefender: Detection: 22%
                  Source: R0xLHA2mT5.exeReversingLabs: Detection: 45%
                  Source: R0xLHA2mT5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@4/2
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_022B8F1B
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: R0xLHA2mT5.exeStatic PE information: More than 200 imports for KERNEL32.dll
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
                  Source: Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe

                  Data Obfuscation:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeUnpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeUnpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BE62F push edi; retf 0_2_022BE630
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BAC00 push ecx; ret 0_2_022BAC09
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BAFAF push ecx; ret 0_2_022BAFBF
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BE9AC push 0B565A71h; ret 0_2_022BE9B1
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0042E630 push ecx; mov dword ptr [esp], 00000000h0_2_0042E631
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_023600A6 push esp; iretd 0_2_023600B7
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_02363EAD push 12BFE4EFh; ret 0_2_02363EB2
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235EE91 push edx; iretd 0_2_0235EEC8
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235E89D push esi; iretd 0_2_0235E89E
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_02362CF3 push es; iretd 0_2_02362CF6
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235F184 push ebx; retf 0_2_0235F196
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_02365B88 push ds; ret 0_2_02365B89
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401264 LoadLibraryA,GetProcAddress,0_2_00401264
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.03993935197

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401264 LoadLibraryA,GetProcAddress,0_2_00401264
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235C2F6 push dword ptr fs:[00000030h]0_2_0235C2F6
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B7A2E cpuid 0_2_022B7A2E
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_00401E22
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401752
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_022B7A2E

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection1Process Injection1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information2LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing22Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528072