Click to jump to signature section
Source: Reciept.exe | ReversingLabs: Detection: 40% |
Source: Reciept.exe | Virustotal: Detection: 42% | Perma Link |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Avira: detection malicious, Label: TR/Dropper.Gen |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | ReversingLabs: Detection: 40% |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Joe Sandbox ML: detected |
Source: 0.0.Reciept.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 7.0.ch.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 3.0.ch.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 0.2.Reciept.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 7.2.ch.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: Reciept.exe | Malware Configuration Extractor: Kutaki {"C2 url": ["http://newbosslink.xyz/baba/new4.php"]} |
Source: Reciept.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: Malware configuration extractor | IPs: http://newbosslink.xyz/baba/new4.php |
Source: ch.exe, 00000003.00000003.354212015.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ch.exe, 00000003.00000003.353043943.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, ch.exe, 00000003.00000003.353360704.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, ch.exe, 00000003.00000003.354052976.00000000006D8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http:///2.3fLy |
Source: ch.exe, 00000003.00000003.413130550.00000000006D8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http:///;.; |
Source: Yara match | File source: Reciept.exe, type: SAMPLE |
Source: Yara match | File source: 7.0.ch.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Reciept.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.0.ch.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.Reciept.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 7.2.ch.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000000.257096134.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.252108144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000000.279445434.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.294816135.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.259858131.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Reciept.exe PID: 3932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: ch.exe PID: 5232, type: MEMORYSTR |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe, type: DROPPED |
Source: Reciept.exe, 00000000.00000002.260120014.000000000082A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: initial sample | Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Reciept.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: Reciept.exe, 00000000.00000003.259380833.00000000008CA000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilename29.exe vs Reciept.exe |
Source: Reciept.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ch.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_0040BCBA | 0_2_0040BCBA |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404084 | 0_2_00404084 |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Code function: 7_2_0040BCBA | 7_2_0040BCBA |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Code function: 7_2_00404084 | 7_2_00404084 |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Process Stats: CPU usage > 98% |
Source: Reciept.exe | ReversingLabs: Detection: 40% |
Source: Reciept.exe | Virustotal: Detection: 42% |
Source: C:\Users\user\Desktop\Reciept.exe | File read: C:\Users\user\Desktop\Reciept.exe | Jump to behavior |
Source: Reciept.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Reciept.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\Reciept.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | |
Source: unknown | Process created: C:\Users\user\Desktop\Reciept.exe "C:\Users\user\Desktop\Reciept.exe" | |
Source: C:\Users\user\Desktop\Reciept.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\Reciept.exe | Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe" | |
Source: C:\Users\user\Desktop\Reciept.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp | Jump to behavior |
Source: C:\Users\user\Desktop\Reciept.exe | Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Reciept.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01 |
Source: Reciept.exe, ch.exe | Binary or memory string: abase.vbp |
Source: Reciept.exe, 00000000.00000002.259898522.000000000041A000.00000004.00000001.01000000.00000003.sdmp | Binary or memory string: w@*\AC:\Users\USER\Desktop\Martin-KL\Martin-KL\40-PrjTelDir\PrjTelDir.vbp |
Source: Reciept.exe, ch.exe | Binary or memory string: *\AC:\Users\USER\Desktop\Martin-KL\Martin-KL\40-PrjTelDir\PrjTelDir.vbp |
Source: Reciept.exe, 00000000.00000000.252108144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Reciept.exe, 00000000.00000002.259858131.0000000000401000.00000020.00000001.01000000.00000003.sdmp, ch.exe, 00000003.00000000.257096134.0000000000401000.00000020.00000001.01000000.00000007.sdmp | Binary or memory string: @*\AC:\Users\USER\Desktop\Martin-KL\Martin-KL\40-PrjTelDir\PrjTelDir.vbpabase.vbp, |
Source: C:\Users\user\Desktop\Reciept.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Reciept.exe | File created: C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp | Jump to behavior |
Source: classification engine | Classification label: mal100.rans.troj.adwa.spyw.evad.winEXE@8/2@0/1 |
Source: C:\Windows\SysWOW64\cmd.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403E4C push 0040123Ah; ret | 0_2_00403E5F |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404A4C push 0040123Ah; ret | 0_2_00404A5F |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_0040764C push 0040123Ah; ret | 0_2_0040765F |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403250 push 0040123Ah; ret | 0_2_00403263 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403E60 push 0040123Ah; ret | 0_2_00403E73 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404A60 push 0040123Ah; ret | 0_2_00404A73 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00407660 push 0040123Ah; ret | 0_2_00407673 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403264 push 0040123Ah; ret | 0_2_00403277 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403E74 push 0040123Ah; ret | 0_2_00403E87 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404A74 push 0040123Ah; ret | 0_2_00404A87 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00407674 push 0040123Ah; ret | 0_2_00407687 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_0040747B push 0040123Ah; ret | 0_2_00407493 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403E10 push 0040123Ah; ret | 0_2_00403E23 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404A10 push 0040123Ah; ret | 0_2_00404A23 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00407610 push 0040123Ah; ret | 0_2_00407623 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403E24 push 0040123Ah; ret | 0_2_00403E37 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404A24 push 0040123Ah; ret | 0_2_00404A37 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00407624 push 0040123Ah; ret | 0_2_00407637 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403228 push 0040123Ah; ret | 0_2_0040323B |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00403E38 push 0040123Ah; ret | 0_2_00403E4B |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00404A38 push 0040123Ah; ret | 0_2_00404A4B |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00407638 push 0040123Ah; ret | 0_2_0040764B |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_0040323C push 0040123Ah; ret | 0_2_0040324F |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_0040263D push 0040123Ah; ret | 0_2_004026AF |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_004026C4 push 0040123Ah; ret | 0_2_004026D7 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_004076C4 push 0040123Ah; ret | 0_2_004076D7 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_004074CB push 0040123Ah; ret | 0_2_004074E3 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_00401CD0 push 0040123Ah; ret | 0_2_00401D0B |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_004036D0 push 0040123Ah; ret | 0_2_004036E3 |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_004026D8 push 0040123Ah; ret | 0_2_004026EB |
Source: C:\Users\user\Desktop\Reciept.exe | Code function: 0_2_004076D8 push 0040123Ah; ret | 0_2_004076EB |
Source: C:\Users\user\Desktop\Reciept.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\Reciept.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\Reciept.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Reciept.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\Desktop\Reciept.exe | Process information set: NOOPENFILEERRORBOX | |