Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dmB3aYi8Bo.bin

Overview

General Information

Sample Name:dmB3aYi8Bo.bin (renamed file extension from bin to exe)
Analysis ID:691233
MD5:56aa277081075438c3dbbef841299172
SHA1:e5870965f41cb82f454043845641ae92b6c6b939
SHA256:0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05
Tags:exeunnamed10
Infos:

Detection

ZeusVM
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected ZeusVM e-Banking Trojan
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
May initialize a security null descriptor
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • dmB3aYi8Bo.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\dmB3aYi8Bo.exe" MD5: 56AA277081075438C3DBBEF841299172)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: dmB3aYi8Bo.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: dmB3aYi8Bo.exeVirustotal: Detection: 57%Perma Link
Source: dmB3aYi8Bo.exeReversingLabs: Detection: 76%
Machine Learning detection for sample
Source: dmB3aYi8Bo.exeJoe Sandbox ML: detected
Source: 0.0.dmB3aYi8Bo.exe.12b0000.0.unpackAvira: Label: TR/Spy.Zbot.afkmx
Source: 0.2.dmB3aYi8Bo.exe.12b0000.0.unpackAvira: Label: TR/Spy.Zbot.afkmx
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B48A2 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: dmB3aYi8Bo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012BD399 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012BD44A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B685D select,recv,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012CA854 GetKeyboardState,ToUnicode,TranslateMessage,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012CA8EB GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

E-Banking Fraud

barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B30C0 lstrcmpiA,lstrcmpiA,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012D022B OpenDesktopW,CreateDesktopW,
Source: dmB3aYi8Bo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C80B0 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C1A81 ExitWindowsEx,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B6177
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B636F
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B5B49
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B5D60
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B5F21
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C976D
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B1BC2
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012CAFE4
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B6601
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012BBAD7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C2BCD NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C2C77 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
Source: dmB3aYi8Bo.exeVirustotal: Detection: 57%
Source: dmB3aYi8Bo.exeReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C2F67 CreateToolhelp32Snapshot,Process32FirstW,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B4E98 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B395D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B3813 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: classification engineClassification label: mal72.bank.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B504C LoadLibraryW,GetProcAddress,FreeLibrary,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeAPI coverage: 1.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012BD399 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012BD44A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C105D mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B504C LoadLibraryW,GetProcAddress,FreeLibrary,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B18F2 HeapCreate,GetProcessHeap,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C2D9E LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,LeaveCriticalSection,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B6FBD InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B3E69 GetTimeZoneInformation,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C7B5C GetVersionExW,GetNativeSystemInfo,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B1B1D PFXImportCertStore,GetSystemTime,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012C87ED GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,
Source: dmB3aYi8Bo.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality

barindex
Contains VNC / remote desktop functionality (version string found)
Source: dmB3aYi8Bo.exeString found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exeString found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe, 00000000.00000000.311521845.00000000012D7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe, 00000000.00000000.311521845.00000000012D7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ! RFB 003.003
Source: dmB3aYi8Bo.exeString found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exeString found in binary or memory: ! RFB 003.003
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B6A4C socket,bind,listen,closesocket,
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exeCode function: 0_2_012B1929 socket,bind,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Valid Accounts		2
Command and Scripting Interpreter		1
Create Account		1
Valid Accounts		1
Valid Accounts		11
Input Capture		2
System Time Discovery		1
Remote Desktop Protocol		11
Input Capture		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts21
Native API		1
Valid Accounts		11
Access Token Manipulation		11
Access Token Manipulation		LSASS Memory1
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over Bluetooth1
Remote Access Software		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Install Root Certificate		Security Account Manager1
Process Discovery		SMB/Windows Admin Shares1
Clipboard Data		Automated Exfiltration1
Ingress Tool Transfer		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Software Packing		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Owner/User Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync3
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dmB3aYi8Bo.exe58%VirustotalBrowse
dmB3aYi8Bo.exe77%ReversingLabsWin32.Trojan.Zeus
dmB3aYi8Bo.exe100%AviraTR/Spy.Zbot.afkmx
dmB3aYi8Bo.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.dmB3aYi8Bo.exe.12b0000.0.unpack100%AviraTR/Spy.Zbot.afkmxDownload File
0.2.dmB3aYi8Bo.exe.12b0000.0.unpack100%AviraTR/Spy.Zbot.afkmxDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:691233
Start date and time:2022-08-27 03:52:44 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:dmB3aYi8Bo.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.bank.troj.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 95.4%)
  • Quality average: 88.3%
  • Quality standard deviation: 24.3%
HCA Information:
  • Successful, ratio: 91%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.974490890199798
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:dmB3aYi8Bo.exe
File size:187392
MD5:56aa277081075438c3dbbef841299172
SHA1:e5870965f41cb82f454043845641ae92b6c6b939
SHA256:0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05
SHA512:6f128a1a9d8b1bb96bc7fa92fad1170395b1ce9603168fb1925bbeb1a5d910f0f8b5999eabdcd4b1dacae376d4ff479d878920984ba68d951a46ac7056b7ad69
SSDEEP:3072:bGVWrMNKUhjhoo7MQW/ieN6RzNLWV+1hpNaL+90tLsVXzJQYMUCb:bGArMNKUhjWl/ieNULu8h39SLSuYMUCb
TLSH:2E04BF3EB9D15877C86F213149E9B6B432EED730136A49C7E1CD0E0938529E2A739397
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......")..fH..fH..fH..fH..gH..o04.{H..fH..>I...>..zH...>:.gH..RichfH..................PE..L......N.................V.................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x401a1e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:0x4EF1CD9B [Wed Dec 21 12:14:19 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:f6a985405556b98acbdb7255917b9fb5

Entrypoint Preview

Instruction
jmp 00007F2E38A4556Eh
jmp 00007F2E38A40747h
jmp 00007F2E38A3A3D3h
jmp 00007F2E38A4493Fh
jmp 00007F2E38A49424h
jmp 00007F2E38A45EB6h
jmp 00007F2E38A45C09h
jmp 00007F2E38A4114Dh
jmp 00007F2E38A46240h
jmp 00007F2E38A40FABh
jmp 00007F2E38A4D9F6h
jmp 00007F2E38A3F627h
jmp 00007F2E38A3760Eh
jmp 00007F2E38A52351h
jmp 00007F2E38A4834Fh
jmp 00007F2E38A46C17h
jmp 00007F2E38A4AE0Eh
jmp 00007F2E38A4C913h
jmp 00007F2E38A3D105h
jmp 00007F2E38A379D6h
jmp 00007F2E38A38449h
jmp 00007F2E38A4756Dh
jmp 00007F2E38A40E8Fh
jmp 00007F2E38A515B7h
jmp 00007F2E38A3CCDEh
jmp 00007F2E38A36C3Eh
jmp 00007F2E38A408E5h
jmp 00007F2E38A373DEh
jmp 00007F2E38A3CD9Bh
jmp 00007F2E38A3D1FCh
jmp 00007F2E38A382B8h
jmp 00007F2E38A37061h
jmp 00007F2E38A374CAh
jmp 00007F2E38A3D7D0h
jmp 00007F2E38A3E9A5h
jmp 00007F2E38A54798h
jmp 00007F2E38A3D7E0h
jmp 00007F2E38A403B8h
jmp 00007F2E38A375E4h
jmp 00007F2E38A461A4h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729
  • [C++] VS2010 build 30319
  • [LNK] VS2010 build 30319

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0000x12c.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x310000x1350.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2e9f80x8cc.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x21f7b0x22000False0.48848948759191174data5.9162227847345825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
code0x230000x35d10x3600False0.24254918981481483data3.993522758518666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x270000x323c0x3400False0.6225961538461539data5.636797675605685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2b0000x2a3a0x600False0.150390625PGP symmetric key encrypted data - Plaintext or unencrypted data1.1042325865513358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x2e0000x2e8d0x3000False0.3174641927083333data4.73911940856972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x310000x16490x1800False0.6793619791666666data5.9673223528898065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllSystemTimeToFileTime, WideCharToMultiByte, MultiByteToWideChar, FormatMessageW, OpenProcess, CreateProcessW, FileTimeToDosDateTime, FileTimeToLocalFileTime, GetFileInformationByHandle, GetVolumeNameForVolumeMountPointW, GetOverlappedResult, RemoveDirectoryW, FindClose, FindNextFileW, FindFirstFileW, SetEndOfFile, GetEnvironmentVariableW, DuplicateHandle, CreateEventW, GetModuleFileNameW, SetErrorMode, GetVersionExW, GetCurrentProcessId, GetFileAttributesExW, SetEvent, OpenEventW, lstrcpyW, ExitProcess, MulDiv, InitializeCriticalSection, FlushFileBuffers, GetThreadContext, GetProcessId, LeaveCriticalSection, EnterCriticalSection, CreateRemoteThread, Process32NextW, Process32FirstW, DeleteCriticalSection, GetLocalTime, GetPrivateProfileStringW, GetPrivateProfileIntW, GetNativeSystemInfo, GetUserDefaultUILanguage, MoveFileExW, GlobalUnlock, GlobalLock, GetCurrentThreadId, TlsGetValue, TlsSetValue, TerminateProcess, ResetEvent, MapViewOfFile, CreateFileMappingW, TlsAlloc, UnmapViewOfFile, TlsFree, WaitForMultipleObjects, SetLastError, ExpandEnvironmentStringsW, GetFileAttributesW, CreateDirectoryW, GetFileTime, SetFileTime, GetTempPathW, GetTempFileNameW, SetFileAttributesW, LoadLibraryA, ReadFile, DeleteFileW, SetFilePointerEx, GetFileSizeEx, VirtualAlloc, VirtualFree, CreateFileW, SetFilePointer, WriteFile, VirtualFreeEx, IsBadReadPtr, VirtualAllocEx, VirtualProtectEx, ReadProcessMemory, WriteProcessMemory, SetThreadContext, VirtualQueryEx, OpenMutexW, ReleaseMutex, CreateMutexW, LocalFree, LoadLibraryW, FreeLibrary, CreateThread, GetModuleHandleW, GetProcAddress, GetLastError, CreateToolhelp32Snapshot, Thread32First, Thread32Next, CloseHandle, lstrcmpiW, Sleep, GetTickCount, GetTimeZoneInformation, HeapFree, HeapAlloc, HeapReAlloc, HeapDestroy, HeapCreate, GetProcessHeap, GetSystemTime, lstrcmpiA, GetCurrentThread, SetThreadPriority, GetCommandLineW, WaitForSingleObject
USER32.dllRegisterClassA, RegisterClassExW, RegisterClassExA, CreateWindowStationW, OpenWindowStationW, SetProcessWindowStation, GetProcessWindowStation, CreateDesktopW, SetThreadDesktop, CloseWindowStation, CloseDesktop, GetUpdateRgn, GetUpdateRect, GetWindowDC, GetDCEx, EndPaint, BeginPaint, IntersectRect, EqualRect, CallWindowProcW, PrintWindow, PeekMessageA, GetMessageA, GetMessageW, GetCapture, ReleaseCapture, SetCapture, SetCursorPos, GetCursorPos, GetMessagePos, GetWindowInfo, GetAncestor, RegisterClassW, GetClassLongW, GetWindowRect, IsRectEmpty, GetParent, MapWindowPoints, SetWindowPos, IsWindow, DefMDIChildProcA, DefMDIChildProcW, DefFrameProcA, DefFrameProcW, DefDlgProcA, DefDlgProcW, DefWindowProcA, SwitchDesktop, OpenDesktopW, OpenInputDesktop, GetMenu, GetMenuItemCount, GetMenuState, HiliteMenuItem, MenuItemFromPoint, EndMenu, GetSubMenu, GetMenuItemRect, TrackPopupMenuEx, FillRect, GetMenuItemID, SetKeyboardState, GetShellWindow, SystemParametersInfoW, DrawEdge, GetUserObjectInformationW, GetWindowThreadProcessId, CallWindowProcA, RegisterWindowMessageW, GetClassNameW, PostThreadMessageW, DefWindowProcW, CharLowerBuffA, CharLowerW, CharLowerA, SendMessageW, MapVirtualKeyW, PostMessageW, GetSystemMetrics, GetClipboardData, GetKeyboardState, ToUnicode, ExitWindowsEx, CharToOemW, GetDC, ReleaseDC, LoadImageW, GetWindowTextLengthW, GetWindowTextW, WindowFromPoint, SendMessageTimeoutW, GetWindowLongW, SetWindowLongW, DispatchMessageW, TranslateMessage, PeekMessageW, MsgWaitForMultipleObjects, CharUpperW, GetWindow, GetTopWindow, GetThreadDesktop
ADVAPI32.dllCryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, SetSecurityDescriptorSacl, GetSecurityDescriptorSacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetNamedSecurityInfoW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, CreateProcessAsUserW, GetLengthSid, ConvertSidToStringSidW, InitiateSystemShutdownExW
SHLWAPI.dllPathIsURLW, PathQuoteSpacesW, PathRenameExtensionW, PathIsDirectoryW, PathMatchSpecW, UrlUnescapeA, PathAddBackslashW, PathRemoveBackslashW, PathRemoveFileSpecW, PathAddExtensionW, PathFindFileNameW, wvnsprintfA, wvnsprintfW, PathCombineW, PathUnquoteSpacesW, PathSkipRootW, StrCmpNIA, SHDeleteValueW, SHDeleteKeyW, PathIsRelativeW, StrCmpNIW
SHELL32.dllShellExecuteW, CommandLineToArgvW, SHGetFolderPathW
Secur32.dllGetUserNameExW
PSAPI.DLLEnumProcessModules, GetModuleBaseNameW, GetModuleFileNameExW
ole32.dllCLSIDFromString, StringFromGUID2
GDI32.dllRestoreDC, SetViewportOrgEx, SaveDC, GdiFlush, CreateCompatibleDC, SetRectRgn, SelectObject, CreateCompatibleBitmap, DeleteObject, CreateDIBSection, GetObjectW, GetDIBits, DeleteDC, CreateFontIndirectW, GetDeviceCaps
COMCTL32.dllInitCommonControlsEx
WS2_32.dllselect, send, WSACleanup, WSAStartup, closesocket, connect, recvfrom, sendto, WSASend, getpeername, WSAStringToAddressW, WSAAddressToStringW, getsockname, WSAGetLastError, setsockopt, WSAIoctl, shutdown, accept, WSASetLastError, bind, listen, getaddrinfo, freeaddrinfo, recv, socket
CRYPT32.dllCertDuplicateCertificateContext, CertDeleteCertificateFromStore, CertOpenSystemStoreW, CertEnumCertificatesInStore, PFXExportCertStoreEx, CertCloseStore, PFXImportCertStore
WININET.dllGetUrlCacheEntryInfoW, HttpAddRequestHeadersW, HttpSendRequestW, HttpSendRequestExW, HttpSendRequestExA, InternetReadFileExA, InternetQueryDataAvailable, HttpAddRequestHeadersA, InternetCrackUrlA, InternetReadFile, InternetQueryOptionW, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetQueryOptionA, InternetOpenA, InternetSetOptionA, InternetConnectA, InternetCloseHandle, InternetSetStatusCallbackW
COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

General

Target ID:0
Start time:03:53:44
Start date:27/08/2022
Path:C:\Users\user\Desktop\dmB3aYi8Bo.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\dmB3aYi8Bo.exe"
Imagebase:0x12b0000
File size:187392 bytes
MD5 hash:56AA277081075438C3DBBEF841299172
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Disassembly

No disassembly