Windows Analysis Report
555.exe

Overview

General Information

Sample Name: 555.exe
Analysis ID: 594633
MD5: ed37ebbe1746dd0d566c8c4769655e0b
SHA1: 0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
SHA256: b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
Tags: ArkeiStealerexeVidar
Infos:

Detection

Oski Stealer Vidar
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Oski Stealer
Antivirus / Scanner detection for submitted sample
Yara detected Vidar stealer
Injects a PE file into a foreign processes
Country aware sample found (crashes after keyboard check)
Found many strings related to Crypto-Wallets (likely being stolen)
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to enumerate network shares
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Found evaded block containing many API calls
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 555.exe Virustotal: Detection: 71% Perma Link
Source: 555.exe Metadefender: Detection: 41% Perma Link
Source: 555.exe ReversingLabs: Detection: 78%
Antivirus / Scanner detection for submitted sample
Source: 555.exe Avira: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040A053 _memset,CryptStringToBinaryA,_memmove, 4_2_0040A053
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_004108CF __EH_prolog3,_malloc,_memmove,CryptUnprotectData, 4_2_004108CF
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040D053 __EH_prolog3,_malloc,_memmove,CryptUnprotectData, 4_2_0040D053
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040D3A5 __EH_prolog3,_malloc,_memmove,CryptUnprotectData, 4_2_0040D3A5
Uses 32bit PE files
Source: 555.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret, 1_2_00408B20
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00411CE4 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW, 4_2_00411CE4
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00404BD7 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose, 4_2_00404BD7
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040F1C4 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 4_2_0040F1C4
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00405291 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose, 4_2_00405291
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00453605 __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 4_2_00453605
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040F72A __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW, 4_2_0040F72A
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00405742 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 4_2_00405742
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: dersed.com replaycode: Name error (3)
Source: 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://ip-api.com/line/
Source: unknown DNS traffic detected: queries for: dersed.com
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00409559 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s, 4_2_00409559

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Vidar Payload Author: kevoreilly
Source: 4.2.555.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Vidar Payload Author: kevoreilly
Source: 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Vidar Payload Author: kevoreilly
Uses 32bit PE files
Source: 555.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Yara signature match
Source: 4.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
Source: 4.2.555.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
Source: 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Vidar author = kevoreilly, description = Vidar Payload, cape_type = Vidar Payload
One or more processes crash
Source: C:\Users\user\Desktop\555.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 1180
Detected potential crypto function
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408B20 1_2_00408B20
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0040AC10 1_2_0040AC10
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00407DF0 1_2_00407DF0
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00438147 1_2_00438147
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00423130 1_2_00423130
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00430308 1_2_00430308
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0043943F 1_2_0043943F
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_004464D0 1_2_004464D0
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0043751A 1_2_0043751A
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00447649 1_2_00447649
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_004306F0 1_2_004306F0
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0042F703 1_2_0042F703
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00405900 1_2_00405900
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00437A6B 1_2_00437A6B
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00446AAD 1_2_00446AAD
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0042FB98 1_2_0042FB98
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00445DBF 1_2_00445DBF
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0042FF36 1_2_0042FF36
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00436FC9 1_2_00436FC9
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00432FF6 1_2_00432FF6
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0045604F 4_2_0045604F
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046E069 4_2_0046E069
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046A18D 4_2_0046A18D
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046A575 4_2_0046A575
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0044C530 4_2_0044C530
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046E5BA 4_2_0046E5BA
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00456AB1 4_2_00456AB1
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046EB0B 4_2_0046EB0B
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00454B1E 4_2_00454B1E
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0044AB25 4_2_0044AB25
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00426E19 4_2_00426E19
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00438FBA 4_2_00438FBA
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046F1E7 4_2_0046F1E7
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00459280 4_2_00459280
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00469588 4_2_00469588
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_004157E1 4_2_004157E1
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_004477E7 4_2_004477E7
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00469A1D 4_2_00469A1D
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00429DA3 4_2_00429DA3
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00469DBB 4_2_00469DBB
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0043FE0C 4_2_0043FE0C
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00449EE7 4_2_00449EE7
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0046FFB0 4_2_0046FFB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\555.exe Code function: String function: 00458B40 appears 59 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 004100F0 appears 57 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 004150F3 appears 37 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 00404150 appears 70 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 0040143A appears 59 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 004220AE appears 103 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 00422493 appears 44 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 0042A1F0 appears 49 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 004256B0 appears 85 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 00425719 appears 64 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 004223BB appears 39 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 00459097 appears 39 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 004032D8 appears 33 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 0042207B appears 67 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 00421ED1 appears 39 times
Source: C:\Users\user\Desktop\555.exe Code function: String function: 0045F610 appears 59 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_04783914 NtQueryInformationProcess, 1_2_04783914
PE file contains strange resources
Source: 555.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 555.exe Virustotal: Detection: 71%
Source: 555.exe Metadefender: Detection: 41%
Source: 555.exe ReversingLabs: Detection: 78%
Source: 555.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\555.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\555.exe "C:\Users\user\Desktop\555.exe"
Source: C:\Users\user\Desktop\555.exe Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe
Source: C:\Users\user\Desktop\555.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 1180
Source: C:\Users\user\Desktop\555.exe Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe Jump to behavior
Source: C:\Users\user\Desktop\555.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000031A-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\555.exe File created: C:\Users\user\AppData\Local\Temp\787F.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.spyw.evad.winEXE@4/4@7/1
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00409559 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s, 4_2_00409559
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_004223F4 GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 4_2_004223F4
Source: 555.exe, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 555.exe, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000001.00000002.280000448.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000001.00000002.280450164.00000000048D8000.00000004.00000800.00020000.00000000.sdmp, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 555.exe, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 555.exe, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 555.exe, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 555.exe, 555.exe, 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, 555.exe, 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0042226B GetLastError,FormatMessageW,FormatMessageA,LocalFree,_free, 4_2_0042226B
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040A1D5 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,FindCloseChangeNotification, 4_2_0040A1D5
Source: C:\Users\user\Desktop\555.exe Mutant created: \Sessions\1\BaseNamedObjects\d06ed635-68f6-4e9a-955c-4899f5f57b9a{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6872
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret, 1_2_00408B20
Source: C:\Users\user\Desktop\555.exe Command line argument: D"E 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: D"E 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: Win 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: HOMEDRIVE 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: HOMEPATH 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: Generator 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: Win 1_2_0040D360
Source: C:\Users\user\Desktop\555.exe Command line argument: kk-KZ 4_2_00407BAB
Source: C:\Users\user\Desktop\555.exe Command line argument: be-BY 4_2_00407BAB
Source: C:\Users\user\Desktop\555.exe Command line argument: uz-UZ 4_2_00407BAB
Source: C:\Users\user\Desktop\555.exe Command line argument: ru-RU 4_2_00407BAB
Source: C:\Users\user\Desktop\555.exe Command line argument: az-AZ 4_2_00407BAB
Source: C:\Users\user\Desktop\555.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\555.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 555.exe Static file information: File size 1304576 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0042A235 push ecx; ret 1_2_0042A248
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0042574F push ecx; ret 1_2_00425762
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00458C18 push ecx; ret 4_2_00458C2B
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0045F655 push ecx; ret 4_2_0045F668
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret, 1_2_00408B20
PE file contains an invalid checksum
Source: 555.exe Static PE information: real checksum: 0x13f018 should be: 0x14b34b
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040ADF5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,__wgetenv,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0040ADF5
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\555.exe Event Logs and Signature results: Application crash and keyboard check
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_004164C4 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00416512h 4_2_004164C4
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00450D1B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00450E46h 4_2_00450D1B
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\555.exe Window / User API: foregroundWindowGot 453 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\555.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\555.exe API coverage: 9.9 %
Source: C:\Users\user\Desktop\555.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_004274F9 GetSystemInfo, 4_2_004274F9
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00411CE4 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW, 4_2_00411CE4
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00404BD7 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose, 4_2_00404BD7
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040F1C4 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 4_2_0040F1C4
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00405291 __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose, 4_2_00405291
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00453605 __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 4_2_00453605
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040F72A __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW, 4_2_0040F72A
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00405742 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 4_2_00405742
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\555.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_004230EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_004230EF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret, 1_2_00408B20
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00439101 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00439101
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_04781560 mov eax, dword ptr fs:[00000030h] 1_2_04781560
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\555.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\555.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_004230EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_004230EF
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_004287EA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004287EA
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0042CF16 SetUnhandledExceptionFilter, 1_2_0042CF16
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00458B31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00458B31
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00466FD1 SetUnhandledExceptionFilter, 4_2_00466FD1
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0045F80E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0045F80E

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\555.exe Memory written: C:\Users\user\Desktop\555.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\555.exe Process created: C:\Users\user\Desktop\555.exe C:\Users\user\Desktop\555.exe Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_0042F0DC
Source: C:\Users\user\Desktop\555.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_00425096
Source: C:\Users\user\Desktop\555.exe Code function: ____lc_handle_func,GetLocaleInfoW, 1_2_0044C0A2
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_0042F1DE
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_0042F183
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_0042F3AF
Source: C:\Users\user\Desktop\555.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042F46F
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 1_2_0043540E
Source: C:\Users\user\Desktop\555.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042F4D6
Source: C:\Users\user\Desktop\555.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_004354E8
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 1_2_0042F512
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoA, 1_2_004276B6
Source: C:\Users\user\Desktop\555.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_0042E815
Source: C:\Users\user\Desktop\555.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 1_2_0042D8E3
Source: C:\Users\user\Desktop\555.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_0042EB03
Source: C:\Users\user\Desktop\555.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_0042DBB9
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0042EFE7
Source: C:\Users\user\Desktop\555.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 4_2_0046869A
Source: C:\Users\user\Desktop\555.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 4_2_0045C90A
Source: C:\Users\user\Desktop\555.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 4_2_00468988
Source: C:\Users\user\Desktop\555.exe Code function: __EH_prolog3,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memset,LocalFree, 4_2_00450D1B
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_00468E6C
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 4_2_00468F61
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 4_2_00469063
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 4_2_00469008
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 4_2_00469234
Source: C:\Users\user\Desktop\555.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_004692F4
Source: C:\Users\user\Desktop\555.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_0046935B
Source: C:\Users\user\Desktop\555.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 4_2_00469397
Source: C:\Users\user\Desktop\555.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 4_2_00467793
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 4_2_0046DA57
Source: C:\Users\user\Desktop\555.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_00467A3E
Source: C:\Users\user\Desktop\555.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0046DB31
Source: C:\Users\user\Desktop\555.exe Code function: GetLocaleInfoA, 4_2_00459E8F
Source: C:\Users\user\Desktop\555.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408B20 mmioSeek,mmioDescend,mmioDescend,mmioDescend,mmioSeek,mmioClose,CreateFileA,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,CloseHandle,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ClientToScreen,WindowFromPoint,GetActiveWindow,PlaySoundA,_TrackMouseEvent,GetDlgItem,lstrcpyW,GetCurrentDirectoryW,midiInGetNumDevs,midiInGetDevCapsA,midiInOpen,midiInStart,midiInClose,GetDlgItem,BeginPaint,GetClientRect,CreateFontA,SelectObject,DeleteObject,SetBkMode,DrawTextA,EndPaint,VirtualQuery,VirtualQuery,VirtualQuery,GetParent,SendDlgItemMessageA,SHAutoComplete,PostMessageA,_memset,InsertMenuItemA,lstrcpyW,NetUserEnum,lstrcpyA,lstrlenW,ImageList_DragMove,lstrcpyA,PathCompactPathA,lstrcpyA,lstrlenW,lstrcpyA,WideCharToMultiByte,NetApiBufferFree,MulDiv,CreateFontW,GetModuleHandleA,CreateWindowExA,SendMessageA,SendMessageA,GlobalAlloc,ExitProcess,LoadLibraryA,EnableWindow,GlobalAlloc,ExitProcess,DefDlgProcA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,GetProcAddress,WriteFile,VirtualAlloc,CloseHandle,LoadBitmapA,lstrcatA,LoadLibraryA,GetProcAddress,WSACreateEvent,WSAWaitForMultipleEvents,ShowWindow,EnumChildWindows,ChooseFontA,CreateFontIndirectA,BeginPaint,SelectObject,TextOutA,EndPaint,DefWindowProcA,StartPage,GetTextMetricsW,PostQuitMessage,#17,CreateWindowExA,ImageList_LoadImageA,ImageList_LoadImageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTextExtentExPointW,ExtTextOutW,_memmove,EndPage,GetLocalTime,GetTimeFormatW,SendMessageW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,HideCaret, 1_2_00408B20
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_0044D58B __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 1_2_0044D58B
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_0040A13F _memset,GetVersionExA, 4_2_0040A13F
Source: C:\Users\user\Desktop\555.exe Code function: 4_2_00450776 GetUserNameA, 4_2_00450776

Stealing of Sensitive Information
barindex
Yara detected Oski Stealer
Source: Yara match File source: 4.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282266070.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280000448.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280450164.00000000048D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.281204973.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 555.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 555.exe PID: 6872, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 4.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282266070.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280000448.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280450164.00000000048D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.281204973.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 555.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 555.exe PID: 6872, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: default_wallet
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \MultiDoge\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: keystore
Source: 555.exe, 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\

Remote Access Functionality
barindex
Yara detected Oski Stealer
Source: Yara match File source: 4.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282266070.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280000448.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280450164.00000000048D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.281204973.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 555.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 555.exe PID: 6872, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 4.0.555.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.555.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.294243127.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282266070.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.271412453.0000000000400000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280513930.0000000004B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280000448.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.280450164.00000000048D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.281204973.0000000000474000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 555.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 555.exe PID: 6872, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\555.exe Code function: 1_2_00408870 CoInitialize,CreateBindCtx,MkParseDisplayName, 1_2_00408870
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594633 Sample: 555.exe Startdate: 23/03/2022 Architecture: WINDOWS Score: 88 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 4 other signatures 2->28 7 555.exe 1 2->7         started        process3 signatures4 30 Injects a PE file into a foreign processes 7->30 10 555.exe 16 7->10         started        process5 dnsIp6 18 192.168.2.1 unknown unknown 10->18 20 dersed.com 10->20 13 WerFault.exe 23 9 10->13         started        process7 file8 16 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->16 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
dersed.com unknown unknown