Source: file.exe |
Virustotal: Detection: 38% |
Perma Link |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_00878884 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext, |
0_2_00881940 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash, |
0_2_0087885C |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_008799FF CryptDestroyHash, |
0_2_008799FF |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0087A511 CryptReleaseContext, |
0_2_0087A511 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00884967 CryptReleaseContext, |
0_2_00884967 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00883F6C CryptDestroyHash, |
0_2_00883F6C |
Source: C:\Users\user\Desktop\file.exe |
Unpacked PE file: 0.2.file.exe.400000.0.unpack |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\SysWOW64\msvcr100.dll |
Jump to behavior |
Source: |
Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe |
Source: |
Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040D450 FindFirstFileW,FindClose, |
0_2_0040D450 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004235B0 FindFirstFileW,FindClose, |
0_2_004235B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, |
0_2_0040CE84 |
Source: file.exe, 00000000.00000002.258207764.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: Process Memory Space: file.exe PID: 3548, type: MEMORYSTR |
Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00881940 |
0_2_00881940 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00897244 |
0_2_00897244 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00885B34 |
0_2_00885B34 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_008770C4 |
0_2_008770C4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_006BA8DC |
0_2_006BA8DC |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00889622 |
0_2_00889622 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0088C79C |
0_2_0088C79C |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 0040ACB4 appears 34 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 0040A3C0 appears 76 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 0040A0C0 appears 300 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 0040AEFC appears 33 times |
|
Source: file.exe |
Static PE information: Resource name: RT_VERSION type: x86 executable not stripped |
Source: file.exe |
Virustotal: Detection: 38% |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_027667C6 CreateToolhelp32Snapshot,Module32First, |
0_2_027667C6 |
Source: C:\Users\user\Desktop\file.exe |
Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668 |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal60.evad.winEXE@4/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: file.exe |
Static file information: File size 3776000 > 1048576 |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\SysWOW64\msvcr100.dll |
Jump to behavior |
Source: file.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x386000 |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe |
Source: |
Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe |
Source: C:\Users\user\Desktop\file.exe |
Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R; |
Source: C:\Users\user\Desktop\file.exe |
Unpacked PE file: 0.2.file.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00422F40 push ecx; mov dword ptr [esp], ecx |
0_2_00422F44 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_02767597 pushad ; iretd |
0_2_02767598 |
Source: Serpodtudpwhhta.dll.0.dr |
Static PE information: section name: .didata |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0085E760 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0085E760 |
Source: C:\Users\user\Desktop\file.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 00000000042A6EB0 second address: 00000000042A778E instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-0Ch], edx 0x00000005 mov dword ptr [ebp-24h], 0000000Dh 0x0000000c mov eax, 00000001h 0x00000011 cmp eax, 00000000h 0x00000014 jnbe 00007F93209DD1A3h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 sub eax, dword ptr [ebp-04h] 0x0000001c cmp eax, dword ptr [ebp-24h] 0x0000001f jnl 00007F93209DD1AAh 0x00000021 inc dword ptr [ebp-14h] 0x00000024 jmp 00007F93209DD810h 0x00000029 mov eax, 00000000h 0x0000002e cmp eax, 00000000h 0x00000031 je 00007F93209DD1A3h 0x00000033 cmp dword ptr [ebp-14h], 02h 0x00000037 jng 00007F93209DD3DAh 0x0000003d rdtsc |
Source: C:\Users\user\Desktop\file.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040D450 FindFirstFileW,FindClose, |
0_2_0040D450 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004235B0 FindFirstFileW,FindClose, |
0_2_004235B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, |
0_2_0040CE84 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_027660A3 push dword ptr fs:[00000030h] |
0_2_027660A3 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0087C50C InitializeSecurityDescriptor,InitializeAcl,CreateWellKnownSid,CreateWellKnownSid,AddAccessAllowedAce,SetSecurityDescriptorDacl, |
0_2_0087C50C |
Source: C:\Users\user\Desktop\file.exe |
Code function: GetUserDefaultUILanguage,GetLocaleInfoW, |
0_2_0040D588 |
Source: C:\Users\user\Desktop\file.exe |
Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0040CA28 |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: file.exe, 00000000.00000003.243980722.000000007F700000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.252501992.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000000.255187116.0000000003EC1000.00000020.00000001.01000000.00000004.sdmp, Serpodtudpwhhta.dll.0.dr |
Binary or memory string: MSASCui.exe |