Windows Analysis Report
zRZljp49Uz

Overview

General Information

Sample Name: zRZljp49Uz (renamed file extension from none to exe)
Analysis ID: 650286
MD5: 0cfa58846e43dd67b6d9f29e97f6c53e
SHA1: 19d9fbfd9b23d4bd435746a524443f1a962d42fa
SHA256: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
Tags: exeRaccoonStealerRecordBreaker
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Uses 32bit PE files
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Program does not show much activity (idle)
IP address seen in connection with other malware

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: zRZljp49Uz.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: zRZljp49Uz.exe Virustotal: Detection: 73% Perma Link
Source: zRZljp49Uz.exe Metadefender: Detection: 28% Perma Link
Source: zRZljp49Uz.exe ReversingLabs: Detection: 88%
Antivirus detection for URL or domain
Source: http://51.195.166.184/ Avira URL Cloud: Label: malware
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41806 lstrlen,LocalAlloc,LocalAlloc,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA, 0_2_00A41806
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41726 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,StrCpyW,LocalFree,LocalFree, 0_2_00A41726
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A417A1 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 0_2_00A417A1
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4617D LocalAlloc,CryptStringToBinaryA,lstrlen,CryptStringToBinaryA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,StrCpyW,LocalFree,StrCpyW,StrCpyW,LocalFree, 0_2_00A4617D
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A43244 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree, 0_2_00A43244
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A427C6 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree, 0_2_00A427C6
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A42CC6 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,CopyFileW,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,CryptUnprotectData,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00A42CC6
Uses 32bit PE files
Source: zRZljp49Uz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zRZljp49Uz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41E26 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00A41E26
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4AF2C LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,LocalFree,FindClose, 0_2_00A4AF2C
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4643A LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree, 0_2_00A4643A
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41B13 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindClose, 0_2_00A41B13
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4B29D LocalAlloc,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose, 0_2_00A4B29D
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A43C9D StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00A43C9D
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A439E5 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00A439E5
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A49DEA LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00A49DEA
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A45870 LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00A45870
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4197C FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW, 0_2_00A4197C
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A46053 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,lstrlenW, 0_2_00A46053
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A45D00 LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,GetLogicalDriveStringsW,GetDriveTypeW,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,StrStrW,StrStrW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,StrStrW,GetEnvironmentVariableW,LocalFree,LocalFree,StrCpyW,LocalFree,LocalFree, 0_2_00A45D00

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036882 ET TROJAN Generic Stealer Config Download Request 192.168.2.5:49746 -> 51.195.166.184:80
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.5:49746 -> 51.195.166.184:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.195.166.184 51.195.166.184
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.184
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 22 Jun 2022 10:00:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: keep-aliveContent-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originX-DNS-Prefetch-Control: offExpect-CT: max-age=0X-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffOrigin-Agent-Cluster: ?1X-Permitted-Cross-Domain-Policies: noneReferrer-Policy: no-referrerX-XSS-Protection: 0ETag: W/"e-vDAjs2Bjp2gdskaBRytU+hHw1Ow"Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://51.195.166.184/
Source: unknown HTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: recordHost: 51.195.166.184Content-Length: 95Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 61 6c 66 6f 6e 73 26 63 6f 6e 66 69 67 49 64 3d 35 39 63 39 37 33 37 32 36 34 63 30 62 33 32 30 39 64 39 31 39 33 62 38 64 65 64 36 63 31 32 37 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=59c9737264c0b3209d9193b8ded6c127
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A479F3 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,StrStrW,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,InternetOpenW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,lstrlen,HttpSendRequestW,lstrlenW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalAlloc,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalFree,LocalFree,LocalFree, 0_2_00A479F3
Uses 32bit PE files
Source: zRZljp49Uz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: String function: 00A41806 appears 92 times
Source: zRZljp49Uz.exe Virustotal: Detection: 73%
Source: zRZljp49Uz.exe Metadefender: Detection: 28%
Source: zRZljp49Uz.exe ReversingLabs: Detection: 88%
Source: zRZljp49Uz.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4A2D7 CreateToolhelp32Snapshot,Process32First,Process32Next, 0_2_00A4A2D7
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Mutant created: \Sessions\1\BaseNamedObjects\8724643052
Source: classification engine Classification label: mal72.winEXE@1/0@0/1
Source: zRZljp49Uz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: zRZljp49Uz.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00A41000
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00A41000
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\zRZljp49Uz.exe API coverage: 8.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A49188 LocalAlloc,LocalAlloc,LocalAlloc,lstrlen,lstrcpynA,lstrlen,lstrcpynA,lstrlen,lstrcpynA,GetSystemInfo,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00A49188
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41E26 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00A41E26
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4AF2C LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,LocalFree,FindClose, 0_2_00A4AF2C
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4643A LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree, 0_2_00A4643A
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41B13 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindClose, 0_2_00A41B13
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4B29D LocalAlloc,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose, 0_2_00A4B29D
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A43C9D StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00A43C9D
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A439E5 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00A439E5
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A49DEA LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00A49DEA
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A45870 LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00A45870
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4197C FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW, 0_2_00A4197C
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A46053 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,lstrlenW, 0_2_00A46053
Source: C:\Users\user\Desktop\zRZljp49Uz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A45D00 LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,GetLogicalDriveStringsW,GetDriveTypeW,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,StrStrW,StrStrW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,StrStrW,GetEnvironmentVariableW,LocalFree,LocalFree,StrCpyW,LocalFree,LocalFree, 0_2_00A45D00
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A41000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00A41000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: LocalAlloc,LocalAlloc,LocalAlloc,GetLocaleInfoW,GetUserDefaultLCID,GetLocaleInfoW,wsprintfW,LocalFree,LocalFree, 0_2_00A48F1D
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A49188 cpuid 0_2_00A49188
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A49055 LocalAlloc,GetTimeZoneInformation,LocalAlloc,wsprintfW,LocalFree, 0_2_00A49055
Source: C:\Users\user\Desktop\zRZljp49Uz.exe Code function: 0_2_00A4A798 LocalAlloc,GetUserNameW, 0_2_00A4A798
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 650286 Sample: zRZljp49Uz Startdate: 22/06/2022 Architecture: WINDOWS Score: 72 10 Snort IDS alert for network traffic 2->10 12 Antivirus detection for URL or domain 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 Multi AV Scanner detection for submitted file 2->16 5 zRZljp49Uz.exe 12 2->5         started        process3 dnsIp4 8 51.195.166.184, 49746, 80 OVHFR France 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.195.166.184
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://51.195.166.184/ true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown