Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zRZljp49Uz

Overview

General Information

Sample Name:zRZljp49Uz (renamed file extension from none to exe)
Analysis ID:650286
MD5:0cfa58846e43dd67b6d9f29e97f6c53e
SHA1:19d9fbfd9b23d4bd435746a524443f1a962d42fa
SHA256:022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
Tags:exeRaccoonStealerRecordBreaker
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Uses 32bit PE files
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Program does not show much activity (idle)
IP address seen in connection with other malware

Classification

  • System is w10x64
  • zRZljp49Uz.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\zRZljp49Uz.exe" MD5: 0CFA58846E43DD67B6D9F29E97F6C53E)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.551.195.166.18449746802036934 06/22/22-12:00:13.668134
SID:2036934
Source Port:49746
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.551.195.166.18449746802036882 06/22/22-12:00:13.668134
SID:2036882
Source Port:49746
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zRZljp49Uz.exeAvira: detected
Source: zRZljp49Uz.exeVirustotal: Detection: 73%Perma Link
Source: zRZljp49Uz.exeMetadefender: Detection: 28%Perma Link
Source: zRZljp49Uz.exeReversingLabs: Detection: 88%
Source: http://51.195.166.184/Avira URL Cloud: Label: malware
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41806 lstrlen,LocalAlloc,LocalAlloc,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41726 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,StrCpyW,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A417A1 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4617D LocalAlloc,CryptStringToBinaryA,lstrlen,CryptStringToBinaryA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,StrCpyW,LocalFree,StrCpyW,StrCpyW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43244 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A427C6 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A42CC6 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,CopyFileW,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,CryptUnprotectData,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,
Source: zRZljp49Uz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zRZljp49Uz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41E26 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4AF2C LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4643A LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41B13 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4B29D LocalAlloc,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43C9D StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A439E5 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49DEA LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45870 LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4197C FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A46053 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,lstrlenW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45D00 LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,GetLogicalDriveStringsW,GetDriveTypeW,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,StrStrW,StrStrW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,StrStrW,GetEnvironmentVariableW,LocalFree,LocalFree,StrCpyW,LocalFree,LocalFree,

Networking

barindex
Source: TrafficSnort IDS: 2036882 ET TROJAN Generic Stealer Config Download Request 192.168.2.5:49746 -> 51.195.166.184:80
Source: TrafficSnort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.5:49746 -> 51.195.166.184:80
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewIP Address: 51.195.166.184 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 22 Jun 2022 10:00:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: keep-aliveContent-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originX-DNS-Prefetch-Control: offExpect-CT: max-age=0X-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffOrigin-Agent-Cluster: ?1X-Permitted-Cross-Domain-Policies: noneReferrer-Policy: no-referrerX-XSS-Protection: 0ETag: W/"e-vDAjs2Bjp2gdskaBRytU+hHw1Ow"Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.195.166.184/
Source: unknownHTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: recordHost: 51.195.166.184Content-Length: 95Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 61 6c 66 6f 6e 73 26 63 6f 6e 66 69 67 49 64 3d 35 39 63 39 37 33 37 32 36 34 63 30 62 33 32 30 39 64 39 31 39 33 62 38 64 65 64 36 63 31 32 37 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=59c9737264c0b3209d9193b8ded6c127
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A479F3 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,StrStrW,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,InternetOpenW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,lstrlen,HttpSendRequestW,lstrlenW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalAlloc,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalFree,LocalFree,LocalFree,
Source: zRZljp49Uz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: String function: 00A41806 appears 92 times
Source: zRZljp49Uz.exeVirustotal: Detection: 73%
Source: zRZljp49Uz.exeMetadefender: Detection: 28%
Source: zRZljp49Uz.exeReversingLabs: Detection: 88%
Source: zRZljp49Uz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zRZljp49Uz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4A2D7 CreateToolhelp32Snapshot,Process32First,Process32Next,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
Source: C:\Users\user\Desktop\zRZljp49Uz.exeMutant created: \Sessions\1\BaseNamedObjects\8724643052
Source: classification engineClassification label: mal72.winEXE@1/0@0/1
Source: zRZljp49Uz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: zRZljp49Uz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\zRZljp49Uz.exeAPI coverage: 8.0 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49188 LocalAlloc,LocalAlloc,LocalAlloc,lstrlen,lstrcpynA,lstrlen,lstrcpynA,lstrlen,lstrcpynA,GetSystemInfo,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41E26 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4AF2C LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4643A LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41B13 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4B29D LocalAlloc,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43C9D StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A439E5 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49DEA LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45870 LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4197C FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A46053 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,lstrlenW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45D00 LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,GetLogicalDriveStringsW,GetDriveTypeW,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,StrStrW,StrStrW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,StrStrW,GetEnvironmentVariableW,LocalFree,LocalFree,StrCpyW,LocalFree,LocalFree,
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,GetLocaleInfoW,GetUserDefaultLCID,GetLocaleInfoW,wsprintfW,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49188 cpuid
Source: C:\Users\user\Desktop\zRZljp49Uz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49055 LocalAlloc,GetTimeZoneInformation,LocalAlloc,wsprintfW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4A798 LocalAlloc,GetUserNameW,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Native API
Path InterceptionPath Interception1
Deobfuscate/Decode Files or Information
OS Credential Dumping1
System Time Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Ingress Tool Transfer
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
Account Discovery
Distributed Component Object ModelInput CaptureScheduled Transfer2
Application Layer Protocol
SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Owner/User Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials2
File and Directory Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync23
System Information Discovery
Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zRZljp49Uz.exe74%VirustotalBrowse
zRZljp49Uz.exe29%MetadefenderBrowse
zRZljp49Uz.exe88%ReversingLabsWin32.Infostealer.Coins
zRZljp49Uz.exe100%AviraHEUR/AGEN.1234185
No Antivirus matches
SourceDetectionScannerLabelLinkDownload
0.2.zRZljp49Uz.exe.a40000.0.unpack100%AviraHEUR/AGEN.1234185Download File
0.0.zRZljp49Uz.exe.a40000.0.unpack100%AviraHEUR/AGEN.1234185Download File
No Antivirus matches
SourceDetectionScannerLabelLink
http://51.195.166.184/4%VirustotalBrowse
http://51.195.166.184/100%Avira URL Cloudmalware
No contacted domains info
NameMaliciousAntivirus DetectionReputation
http://51.195.166.184/true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
51.195.166.184
unknownFrance
16276OVHFRtrue
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:650286
Start date and time: 22/06/202211:59:072022-06-22 11:59:07 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 49s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:zRZljp49Uz (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.winEXE@1/0@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 64.6%)
  • Quality average: 31.3%
  • Quality standard deviation: 29.3%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
  • Excluded IPs from analysis (whitelisted): 20.82.210.154
  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com
  • Report size getting too big, too many NtQueryValueKey calls found.
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.3513101497739335
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:zRZljp49Uz.exe
File size:56832
MD5:0cfa58846e43dd67b6d9f29e97f6c53e
SHA1:19d9fbfd9b23d4bd435746a524443f1a962d42fa
SHA256:022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
SHA512:263bb15955a86788d3006f4d3fdeabe6fed1291b6c6e60471ffdb59626755a81d1ffbafc58fe13c0633cb67f3f1d9a3ec92046b6d85eba56e56cd1c252ea4ea0
SSDEEP:1536:qzwshK8pUMGxo0xwwW9VemFMGfpbbVDzANyCa:wwshK8yMexbW9vJVDzANs
TLSH:1B4307814885EC73C15248B4278D752FDBDEDC022A20F1CBB736F7D746E618249AA39B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g~..............m.......m.......m..............#s......#s......Rich............................PE..L......b...................
Icon Hash:00828e8e8686b000
Entrypoint:0x407486
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x628F8781 [Thu May 26 13:58:25 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:4ec5227a81c3e90d891321c143c67557
Instruction
push ebp
mov ebp, esp
sub esp, 000000E4h
push ebx
push esi
push edi
call 00007F1420F4962Eh
call 00007F1420F4C65Fh
push 00000000h
call dword ptr [0040E068h]
and dword ptr [ebp-04h], 00000000h
mov esi, 0040D43Ch
mov ecx, esi
call 00007F1420F52BABh
mov dword ptr [ebp-10h], eax
mov ecx, 0040D460h
lea eax, dword ptr [ebp-04h]
push esi
push eax
call 00007F1420F52CD1h
lea edx, dword ptr [ebp-04h]
mov ecx, eax
call 00007F1420F49DFBh
mov ebx, 0040EC98h
push eax
mov ecx, ebx
call 00007F1420F50D2Eh
mov edi, eax
mov ecx, 0040D4A8h
lea eax, dword ptr [ebp-04h]
push esi
push eax
call 00007F1420F52CA9h
lea edx, dword ptr [ebp-04h]
mov ecx, eax
call 00007F1420F49DD3h
push eax
mov ecx, ebx
call 00007F1420F50D0Bh
mov esi, eax
mov ecx, 0040D4F0h
lea eax, dword ptr [ebp-04h]
push 0040D43Ch
push eax
call 00007F1420F52C82h
lea edx, dword ptr [ebp-04h]
mov ecx, eax
call 00007F1420F49DACh
push eax
mov ecx, ebx
call 00007F1420F50CE4h
mov dword ptr [ebp-34h], esi
mov ecx, 0040D538h
mov dword ptr [ebp-30h], eax
mov esi, 0040D43Ch
lea eax, dword ptr [ebp-04h]
mov dword ptr [ebp-38h], edi
push esi
push eax
call 00007F1420F52C53h
lea edx, dword ptr [ebp-04h]
mov ecx, eax
call 00007F1420F49D7Dh
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd8bc0x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000x148c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xd7900x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc0000x30.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xa6150xa800False0.45175316220238093data6.037478061501936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xc0000x19ba0x1a00False0.5072115384615384data5.271640666045761IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xe0000x14c00x200False0.03125ISO-8859 text, with no line terminators0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x100000x148c0x1600False0.7867542613636364data6.654962728887089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
KERNEL32.dlllstrcpynA, GetUserDefaultLCID, GetSystemInfo, LocalFree, FreeLibrary, GetProcAddress, LoadLibraryW
ADVAPI32.dllGetUserNameW
TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
192.168.2.551.195.166.18449746802036934 06/22/22-12:00:13.668134TCP2036934ET TROJAN Win32/RecordBreaker CnC Checkin4974680192.168.2.551.195.166.184
192.168.2.551.195.166.18449746802036882 06/22/22-12:00:13.668134TCP2036882ET TROJAN Generic Stealer Config Download Request4974680192.168.2.551.195.166.184
TimestampSource PortDest PortSource IPDest IP
Jun 22, 2022 12:00:13.637087107 CEST4974680192.168.2.551.195.166.184
Jun 22, 2022 12:00:13.667448997 CEST804974651.195.166.184192.168.2.5
Jun 22, 2022 12:00:13.667654037 CEST4974680192.168.2.551.195.166.184
Jun 22, 2022 12:00:13.668133974 CEST4974680192.168.2.551.195.166.184
Jun 22, 2022 12:00:13.698446035 CEST804974651.195.166.184192.168.2.5
Jun 22, 2022 12:00:13.733907938 CEST804974651.195.166.184192.168.2.5
Jun 22, 2022 12:00:13.734102011 CEST4974680192.168.2.551.195.166.184
Jun 22, 2022 12:00:14.151949883 CEST4974680192.168.2.551.195.166.184
  • 51.195.166.184
Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.54974651.195.166.18480C:\Users\user\Desktop\zRZljp49Uz.exe
TimestampkBytes transferredDirectionData
Jun 22, 2022 12:00:13.668133974 CEST399OUTPOST / HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: record
Host: 51.195.166.184
Content-Length: 95
Connection: Keep-Alive
Cache-Control: no-cache
Data Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 61 6c 66 6f 6e 73 26 63 6f 6e 66 69 67 49 64 3d 35 39 63 39 37 33 37 32 36 34 63 30 62 33 32 30 39 64 39 31 39 33 62 38 64 65 64 36 63 31 32 37
Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=59c9737264c0b3209d9193b8ded6c127
Jun 22, 2022 12:00:13.733907938 CEST400INHTTP/1.1 404 Not Found
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 22 Jun 2022 10:00:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 14
Connection: keep-alive
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
Origin-Agent-Cluster: ?1
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer
X-XSS-Protection: 0
ETag: W/"e-vDAjs2Bjp2gdskaBRytU+hHw1Ow"
Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64
Data Ascii: Page not found


No statistics
Target ID:0
Start time:12:00:10
Start date:22/06/2022
Path:C:\Users\user\Desktop\zRZljp49Uz.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\zRZljp49Uz.exe"
Imagebase:0xa40000
File size:56832 bytes
MD5 hash:0CFA58846E43DD67B6D9F29E97F6C53E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

No disassembly