Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 736956
MD5: 9156fa044ec274f670095e43e205d137
SHA1: 62107d1bd3cb01d59924433f1c8a97c7096d5fb7
SHA256: 861751b8c762f3332f12c1f4ff45c3108357b1debbde2a07a5e9d44e806ce88d
Tags: exe
Infos:

Detection

Nymaim
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 17%
Antivirus detection for URL or domain
Source: http://171.22.30.106/library.php URL Reputation: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\0JzI2az.exe ReversingLabs: Detection: 38%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.fnsearcher68.exe.10000000.6.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.is-SQE6E.tmp.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.file.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 00000002.00000002.343591826.0000000000400000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045A060 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion, 1_2_0045A060
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045A114 ArcFourCrypt, 1_2_0045A114
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045A12C ArcFourCrypt, 1_2_0045A12C
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 2_2_00403770

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Unpacked PE file: 2.2.fnsearcher68.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0046E2D4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046E2D4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0047694C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_0047694C
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00450EA4 FindFirstFileA,GetLastError, 1_2_00450EA4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045E738 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045E738
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00474BD0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474BD0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045EBB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045EBB4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045D1B4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045D1B4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0048D260 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_0048D260
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004241DD FindFirstFileExW, 2_2_004241DD
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.139.105.1
Source: Malware configuration extractor IPs: 85.31.46.167
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.139.105.171 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: is-SQE6E.tmp, 00000001.00000002.347088234.0000000002254000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/
Source: file.exe, 00000000.00000003.250397670.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251914619.0000000003190000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/-
Source: file.exe, 00000000.00000003.250397670.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251914619.0000000003190000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/-http://www.fn-group.info/fnsearcher/help.html1http://www.fn-group.info/fns
Source: is-SQE6E.tmp, 00000001.00000002.346791616.000000000079A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/8
Source: is-SQE6E.tmp, 00000001.00000002.347088234.0000000002254000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/fnsearcher/download.html
Source: is-SQE6E.tmp, 00000001.00000002.346974137.0000000000815000.00000004.00000020.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.346249515.0000000000815000.00000004.00000020.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.346376195.0000000000815000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/fnsearcher/download.htmlw
Source: file.exe, 00000000.00000003.347773502.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.250490694.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251984991.0000000002256000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000002.347088234.0000000002254000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/fnsearcher/help.html
Source: file.exe, 00000000.00000003.250397670.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251914619.0000000003190000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/fnsearcher/help.html1
Source: file.exe, 00000000.00000003.347773502.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.250490694.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251984991.0000000002256000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000002.347088234.0000000002254000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fn-group.info/fnsearcher/help.htmlB
Source: is-SQE6E.tmp, is-SQE6E.tmp, 00000001.00000000.251439199.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-6KAKC.tmp.1.dr, is-SQE6E.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: fnsearcher68.exe, 00000002.00000000.258860254.0000000001276000.00000002.00000001.01000000.00000007.sdmp, fnsearcher68.exe.1.dr, is-51KLJ.tmp.1.dr String found in binary or memory: http://www.kungsoft.com
Source: file.exe, 00000000.00000003.250397670.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.347783736.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251914619.0000000003190000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000002.346974137.0000000000815000.00000004.00000020.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.346249515.0000000000815000.00000004.00000020.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.251984991.0000000002256000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000002.347088234.0000000002254000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000003.346376195.0000000000815000.00000004.00000020.00020000.00000000.sdmp, is-OS12U.tmp.1.dr String found in binary or memory: http://www.n-group.info
Source: file.exe, 00000000.00000003.250582680.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.250924927.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, is-SQE6E.tmp, 00000001.00000000.251439199.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-6KAKC.tmp.1.dr, is-SQE6E.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000000.00000003.250582680.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.250924927.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, is-SQE6E.tmp, 00000001.00000000.251439199.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-6KAKC.tmp.1.dr, is-SQE6E.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?psU
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: global traffic HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=start&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Creates a DirectInput object (often for capturing keystrokes)
Source: is-SQE6E.tmp, 00000001.00000002.346791616.000000000079A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.fnsearcher68.exe.37d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fnsearcher68.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fnsearcher68.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fnsearcher68.exe.37d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.345115638.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.343591826.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040914C AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0040914C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409180 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409180
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004536F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004536F0
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004081A8 0_2_004081A8
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0043D2D0 1_2_0043D2D0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004777A8 1_2_004777A8
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00461C80 1_2_00461C80
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00469F50 1_2_00469F50
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00458180 1_2_00458180
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00430454 1_2_00430454
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004446E8 1_2_004446E8
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004348B0 1_2_004348B0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00444AF4 1_2_00444AF4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0047CC54 1_2_0047CC54
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045B078 1_2_0045B078
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00413202 1_2_00413202
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004832E4 1_2_004832E4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0042F9F8 1_2_0042F9F8
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00443A48 1_2_00443A48
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00433BAC 1_2_00433BAC
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00463C84 1_2_00463C84
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00404490 2_2_00404490
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004056A0 2_2_004056A0
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00406800 2_2_00406800
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00409A10 2_2_00409A10
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00406AA0 2_2_00406AA0
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00404D40 2_2_00404D40
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00405F40 2_2_00405F40
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0042B06A 2_2_0042B06A
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00422038 2_2_00422038
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004290E9 2_2_004290E9
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00415486 2_2_00415486
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004156B8 2_2_004156B8
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00422759 2_2_00422759
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00404840 2_2_00404840
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004198C0 2_2_004198C0
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00426C00 2_2_00426C00
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00447D2D 2_2_00447D2D
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00410E00 2_2_00410E00
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0042AF4A 2_2_0042AF4A
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00404F20 2_2_00404F20
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_1000F670 2_2_1000F670
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_1000EC61 2_2_1000EC61
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00406A24 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00403418 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00405974 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00455538 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00445624 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 004034AC appears 75 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00455348 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 0040788C appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00445354 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00433AC4 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 0040369C appears 198 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00408BA4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: String function: 00451710 appears 66 times
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: String function: 0040FD90 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0042EBCC NtdllDefWindowProc_A, 1_2_0042EBCC
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00423B68 NtdllDefWindowProc_A, 1_2_00423B68
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004125BC NtdllDefWindowProc_A, 1_2_004125BC
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00454CF8 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00454CF8
PE file contains executable resources (Code or Archives)
Source: is-SQE6E.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-SQE6E.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-SQE6E.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-SQE6E.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: fnsearcher68.exe.1.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: fnsearcher68.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: is-6KAKC.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-6KAKC.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-6KAKC.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-6KAKC.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.250582680.00000000023F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.250582680.00000000023F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000003.250924927.00000000021D4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.250924927.00000000021D4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs file.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\fnSearcher\is-6KAKC.tmp 40AE4CA142D536558D329DF560CDBE29D2335F0F7E349C26887B3AB411E0F54D
Source: fnsearcher68.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp "C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp" /SL4 $30224 "C:\Users\user\Desktop\file.exe" 2630911 52736
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process created: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe "C:\Program Files (x86)\fnSearcher\fnsearcher68.exe"
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\0JzI2az.exe
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "fnsearcher68.exe" /f & erase "C:\Program Files (x86)\fnSearcher\fnsearcher68.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "fnsearcher68.exe" /f
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp "C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp" /SL4 $30224 "C:\Users\user\Desktop\file.exe" 2630911 52736 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process created: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe "C:\Program Files (x86)\fnSearcher\fnsearcher68.exe" Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\0JzI2az.exe Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "fnsearcher68.exe" /f & erase "C:\Program Files (x86)\fnSearcher\fnsearcher68.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "fnsearcher68.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040914C AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0040914C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409180 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409180
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004536F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004536F0
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;fnsearcher68.exe&quot;)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@12/31@0/5
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification, 2_2_00405350
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3328:120:WilError_01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004098C8 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_004098C8
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Program Files (x86)\fnSearcher Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Command line argument: `a}{ 2_2_00409A10
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Command line argument: MFE. 2_2_00409A10
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Command line argument: ZK]Z 2_2_00409A10
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Command line argument: ZK]Z 2_2_00409A10
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2881497 > 1048576

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Unpacked PE file: 2.2.fnsearcher68.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Unpacked PE file: 2.2.fnsearcher68.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.rfn68:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408C50 push 00408C83h; ret 0_2_00408C7B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407EA0 push ecx; mov dword ptr [esp], eax 0_2_00407EA5
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004098E4 push 00409921h; ret 1_2_00409919
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0040A023 push ds; ret 1_2_0040A024
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax 1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00430454 push ecx; mov dword ptr [esp], eax 1_2_00430459
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0047A6CC push 0047A7AAh; ret 1_2_0047A7A2
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004106B4 push ecx; mov dword ptr [esp], edx 1_2_004106B9
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00450740 push 00450773h; ret 1_2_0045076B
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0041290C push 0041296Fh; ret 1_2_00412967
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004429C0 push ecx; mov dword ptr [esp], ecx 1_2_004429C4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00456D70 push 00456DB4h; ret 1_2_00456DAC
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045AD70 push ecx; mov dword ptr [esp], eax 1_2_0045AD75
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0040D00C push ecx; mov dword ptr [esp], edx 1_2_0040D00E
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00405485 push eax; ret 1_2_004054C1
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00405555 push 00405761h; ret 1_2_00405759
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0040F56C push ecx; mov dword ptr [esp], edx 1_2_0040F56E
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004055D6 push 00405761h; ret 1_2_00405759
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00405653 push 00405761h; ret 1_2_00405759
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004056B8 push 00405761h; ret 1_2_00405759
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0047BC58 push ecx; mov dword ptr [esp], ecx 1_2_0047BC5D
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00419C0C push ecx; mov dword ptr [esp], ecx 1_2_00419C11
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004311AD push esi; ret 2_2_004311B6
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0040F86B push ecx; ret 2_2_0040F87E
PE file contains sections with non-standard names
Source: fnsearcher68.exe.1.dr Static PE information: section name: .rfn68
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0044A890 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044A890
Source: initial sample Static PE information: section name: .text entropy: 7.239650320490324
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\0JzI2az.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Program Files (x86)\fnSearcher\is-6KAKC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File created: C:\Program Files (x86)\fnSearcher\unins000.exe (copy) Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00423BF0 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423BF0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00423BF0 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423BF0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0047A09C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_0047A09C
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00424178 IsIconic,SetActiveWindow, 1_2_00424178
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_004241C0 IsIconic,SetActiveWindow,SetFocus, 1_2_004241C0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00418368 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00418368
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00422840 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422840
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0041757C IsIconic,GetCapture, 1_2_0041757C
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00417CB2 IsIconic,SetWindowPos, 1_2_00417CB2
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00417CB4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417CB4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0044A890 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044A890
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Dropped PE file which has not been started: C:\Program Files (x86)\fnSearcher\is-6KAKC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6LIA6.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Dropped PE file which has not been started: C:\Program Files (x86)\fnSearcher\unins000.exe (copy) Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains functionality to detect sandboxes (foreground window change detection)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, 2_2_004056A0
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040980C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_0040980C
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0046E2D4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046E2D4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0047694C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_0047694C
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00450EA4 FindFirstFileA,GetLastError, 1_2_00450EA4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045E738 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045E738
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00474BD0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474BD0
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045EBB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045EBB4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045D1B4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045D1B4
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0048D260 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_0048D260
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004241DD FindFirstFileExW, 2_2_004241DD
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0041371B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041371B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0044A890 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044A890
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc, 2_2_00402F20
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] 2_2_0044028F
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004207CF mov eax, dword ptr fs:[00000030h] 2_2_004207CF
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] 2_2_004429E7
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_00417F5F mov eax, dword ptr fs:[00000030h] 2_2_00417F5F
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h] 2_2_100091C7
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h] 2_2_10006CE1
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0040FB39 SetUnhandledExceptionFilter, 2_2_0040FB39
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0041371B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041371B
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0040F9A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040F9A5
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0040EF82 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040EF82
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10006180
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100035DF
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10003AD4
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "fnsearcher68.exe" /f Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "fnsearcher68.exe" /f & erase "C:\Program Files (x86)\fnSearcher\fnsearcher68.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "fnsearcher68.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00459ACC GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree, 1_2_00459ACC
Source: fnsearcher68.exe, 00000002.00000002.345361381.00000000039DF000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: fnsearcher68.exe, 00000002.00000002.345361381.00000000039DF000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: program manager
Source: fnsearcher68.exe, 00000002.00000002.345361381.00000000039DF000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: F.program manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_0040515C
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: GetLocaleInfoA, 1_2_00408500
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: GetLocaleInfoA, 1_2_0040854C
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 2_2_00404D40
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_0042714F
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: EnumSystemLocalesW, 2_2_004273F1
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: EnumSystemLocalesW, 2_2_0042743C
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: EnumSystemLocalesW, 2_2_004274D7
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00427562
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: EnumSystemLocalesW, 2_2_0041E6AF
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetLocaleInfoW, 2_2_004277B5
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_004278DB
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetLocaleInfoW, 2_2_004279E1
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00427AB0
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: GetLocaleInfoW, 2_2_0041EBD1
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\fnSearcher\fnsearcher68.exe Code function: 2_2_0043E835 cpuid 2_2_0043E835
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_0045604C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_0045604C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405C44 GetVersionExA, 0_2_00405C44
Source: C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp Code function: 1_2_00453688 GetUserNameA, 1_2_00453688

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.fnsearcher68.exe.37d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fnsearcher68.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fnsearcher68.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fnsearcher68.exe.37d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.345115638.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.343591826.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 736956 Sample: file.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 96 47 45.139.105.1 CMCSUS Italy 2->47 49 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Detected unpacking (changes PE section rights) 2->55 57 4 other signatures 2->57 10 file.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\is-SQE6E.tmp, PE32 10->31 dropped 13 is-SQE6E.tmp 16 25 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->35 dropped 37 C:\...\unins000.exe (copy), PE32 13->37 dropped 39 4 other files (2 malicious) 13->39 dropped 16 fnsearcher68.exe 25 13->16         started        process8 dnsIp9 41 107.182.129.235, 49700, 80 META-ASUS Reserved 16->41 43 171.22.30.106, 49701, 80 CMCSUS Germany 16->43 45 45.139.105.171, 49699, 80 CMCSUS Italy 16->45 29 C:\Users\user\AppData\Roaming\...\0JzI2az.exe, PE32 16->29 dropped 20 0JzI2az.exe 16->20         started        23 cmd.exe 1 16->23         started        file10 process11 signatures12 59 Multi AV Scanner detection for dropped file 20->59 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.139.105.171
 unknown Italy
33657 CMCSUS false
45.139.105.1
 unknown Italy
33657 CMCSUS true
85.31.46.167
 unknown Germany
43659 CLOUDCOMPUTINGDE true
107.182.129.235
 unknown Reserved
11070 META-ASUS false
171.22.30.106
 unknown Germany
33657 CMCSUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=start&substream=mixinte false
  • URL Reputation: safe
 unknown
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte false
  • URL Reputation: safe
 unknown
http://107.182.129.235/storage/extension.php false
  • URL Reputation: safe
 unknown
http://107.182.129.235/storage/ping.php false
  • URL Reputation: safe
 unknown
http://171.22.30.106/library.php true
  • URL Reputation: malware
 unknown