Windows Analysis Report 8XMlaeHQXZ.exe

Overview

General Information

Sample Name: 8XMlaeHQXZ.exe
Analysis ID: 528756
MD5: 5643bf734d793e845166a228f3df83b3
SHA1: 4415ad682fd64baedf5c209bc0c2a3b619cf03e2
SHA256: db79e0c2243229f8ba6a52deede597287b93801aa182af42f278542f31fb3324
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

PE file has nameless sections
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
Checks if the current process is being debugged
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file overlay found

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: 8XMlaeHQXZ.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 8XMlaeHQXZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 8XMlaeHQXZ.exe, 00000000.00000000.671939274.0000000000ABA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file has nameless sections
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Uses 32bit PE files
Source: 8XMlaeHQXZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file does not import any functions
Source: 8XMlaeHQXZ.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 8XMlaeHQXZ.exe, 00000000.00000000.669090161.0000000000426000.00000080.00020000.sdmp Binary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe, 00000000.00000000.669090161.0000000000426000.00000080.00020000.sdmp Binary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe Binary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe Binary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe
One or more processes crash
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 212
PE file overlay found
Source: 8XMlaeHQXZ.exe Static PE information: Data appended to the last section found
Source: 8XMlaeHQXZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: 8XMlaeHQXZ.exe Static PE information: Section: ZLIB complexity 1.00057768486
Source: 8XMlaeHQXZ.exe Static PE information: Section: ZLIB complexity 1.0107421875
Source: 8XMlaeHQXZ.exe Static PE information: Section: ZLIB complexity 1.00716145833
Source: 8XMlaeHQXZ.exe Static PE information: Section: ZLIB complexity 1.021484375
Source: 8XMlaeHQXZ.exe Static PE information: Section: ZLIB complexity 1.00037704324
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\8XMlaeHQXZ.exe "C:\Users\user\Desktop\8XMlaeHQXZ.exe"
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 212
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5561.tmp Jump to behavior
Source: classification engine Classification label: mal48.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 8XMlaeHQXZ.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x104c00
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: 8XMlaeHQXZ.exe Static PE information: real checksum: 0x122111 should be: 0x3a656
PE file contains sections with non-standard names
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name:
Source: 8XMlaeHQXZ.exe Static PE information: section name: .m8o02uE
Source: 8XMlaeHQXZ.exe Static PE information: section name: .adata
Binary contains a suspicious time stamp
Source: 8XMlaeHQXZ.exe Static PE information: 0xFBDADAB2 [Sun Nov 25 08:54:10 2103 UTC]
Source: initial sample Static PE information: section name: entropy: 7.99485148323
Source: initial sample Static PE information: section name: entropy: 7.80837604511
Source: initial sample Static PE information: section name: entropy: 7.87119921588
Source: initial sample Static PE information: section name: entropy: 7.59715435366
Source: initial sample Static PE information: section name: entropy: 7.99861729183

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.4.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: VMware7,1
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe Process queried: DebugPort Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528756 Sample: 8XMlaeHQXZ.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 48 13 Machine Learning detection for sample 2->13 15 PE file has nameless sections 2->15 6 8XMlaeHQXZ.exe 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 8->11 dropped
No contacted IP infos