Windows Analysis Report
5GPueTFF2S.exe

Overview

General Information

Sample Name: 5GPueTFF2S.exe
Analysis ID: 764034
MD5: 7d124bc23be85d73b1177143f41b5e72
SHA1: 09633b90a0b993fd4dec6d522a1243433fc3ab10
SHA256: 04805512d670fb5f37bdf17bf00aae6976650f82c0b4bd342f3506d204f7aea2
Tags: 32exetrojan
Infos:

Detection

Amadey, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Amadeys stealer DLL
Malicious sample detected (through community Yara rule)
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Uses cacls to modify the permissions of files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\75873290272674793137.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exe ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe ReversingLabs: Detection: 35%
Machine Learning detection for sample
Source: 5GPueTFF2S.exe Joe Sandbox ML: detected
Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["http://135.181.10.220:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
Source: 18.2.gntuud.exe.a0000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Unpacked PE file: 0.2.5GPueTFF2S.exe.60900000.3.unpack
Uses 32bit PE files
Source: 5GPueTFF2S.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5GPueTFF2S.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr
Source: Binary string: C:\Yafoca\Rij\Kehiquo soja kafex.pdb source: 5GPueTFF2S.exe
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.4 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 85.209.135.109 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.209.135.109/jg94cVd30f/index.php
Source: Malware configuration extractor URLs: http://135.181.10.220:80
Source: Malware configuration extractor URLs: https://t.me/vmt001
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.430008393.0000000008E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220/
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220/1760
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220/1760jf.
Source: 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220/update.zip
Source: 5GPueTFF2S.exe, 00000000.00000003.385525417.000000000CCC0000.00000040.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.431582702.000000000B030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220:8
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220:80
Source: 5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220:80/update.zip
Source: 5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220:80/update.zipb1ef1c57276c118008692-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963
Source: 5GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220:801760
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://135.181.10.220:80https://t.me/vmt001hello2092;open_open
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://135ple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 5GPueTFF2S.exe, 00000000.00000002.424393747.00000000028CA000.00000040.00000800.00020000.00000000.sdmp String found in binary or memory: http://mIkUB7ZDt5qfxou902VyKe64v30McOy.LnrmXFtSK2Pynk6VWBPG5Sf1w0AavRp1BVjmQQUkh2vmJkxEZO5UQQZNHAms9
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mikub7zdt5qfxou902vyke64v30mcoy.lnrmxftsk2pynk6vwbpg5s/
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exerO
Source: 5GPueTFF2S.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 5GPueTFF2S.exe String found in binary or memory: http://s.symcd.com06
Source: 5GPueTFF2S.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 5GPueTFF2S.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 5GPueTFF2S.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 39866407027900499026559352.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 39866407027900499026559352.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 5GPueTFF2S.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: 5GPueTFF2S.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: 5GPueTFF2S.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: 39866407027900499026559352.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 39866407027900499026559352.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr String found in binary or memory: https://sectigo.com/CPS0
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/vmt001
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Creates a DirectInput object (often for capturing keystrokes)
Source: 5GPueTFF2S.exe, 00000000.00000002.422854308.00000000009CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
PE file contains section with special chars
Source: 75873290272674793137.exe.0.dr Static PE information: section name: lB@dO\ih
Source: 75873290272674793137.exe.0.dr Static PE information: section name: Fh?jG[OJ
Source: 75873290272674793137.exe.0.dr Static PE information: section name: qNR5:WbS
Source: 75873290272674793137.exe.0.dr Static PE information: section name: z?fd8ijJ
Source: 75873290272674793137.exe.0.dr Static PE information: section name: CV?7x>JO
Source: 75873290272674793137.exe.0.dr Static PE information: section name: dT<:EHzj
Source: 75873290272674793137.exe.0.dr Static PE information: section name: @]topACL
Source: nppshell[1].exe.0.dr Static PE information: section name: lB@dO\ih
Source: nppshell[1].exe.0.dr Static PE information: section name: Fh?jG[OJ
Source: nppshell[1].exe.0.dr Static PE information: section name: qNR5:WbS
Source: nppshell[1].exe.0.dr Static PE information: section name: z?fd8ijJ
Source: nppshell[1].exe.0.dr Static PE information: section name: CV?7x>JO
Source: nppshell[1].exe.0.dr Static PE information: section name: dT<:EHzj
Source: nppshell[1].exe.0.dr Static PE information: section name: @]topACL
Source: gntuud.exe.1.dr Static PE information: section name: lB@dO\ih
Source: gntuud.exe.1.dr Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.1.dr Static PE information: section name: qNR5:WbS
Source: gntuud.exe.1.dr Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.1.dr Static PE information: section name: CV?7x>JO
Source: gntuud.exe.1.dr Static PE information: section name: dT<:EHzj
Source: gntuud.exe.1.dr Static PE information: section name: @]topACL
Source: cred64[1].dll.7.dr Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.7.dr Static PE information: section name: zDthL)*@
Source: cred64[1].dll.7.dr Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.7.dr Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.7.dr Static PE information: section name: Z-),j99t
Source: cred64[1].dll.7.dr Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.7.dr Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.7.dr Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.7.dr Static PE information: section name: Uh%r6i!H
Source: cred64.dll.7.dr Static PE information: section name: f5g\gWe7
Source: cred64.dll.7.dr Static PE information: section name: zDthL)*@
Source: cred64.dll.7.dr Static PE information: section name: nb"h!m#Y
Source: cred64.dll.7.dr Static PE information: section name: $^+<%+dU
Source: cred64.dll.7.dr Static PE information: section name: Z-),j99t
Source: cred64.dll.7.dr Static PE information: section name: 8"ikKHD[
Source: cred64.dll.7.dr Static PE information: section name: k&l<0?<6
Source: cred64.dll.7.dr Static PE information: section name: n[uZh3ex
Source: cred64.dll.7.dr Static PE information: section name: Uh%r6i!H
Uses 32bit PE files
Source: 5GPueTFF2S.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC35E0 0_2_00EC35E0
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC81D0 0_2_00EC81D0
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC7BB0 0_2_00EC7BB0
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC6091 0_2_00EC6091
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC4269 0_2_00EC4269
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC6072 0_2_00EC6072
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC6023 0_2_00EC6023
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC603D 0_2_00EC603D
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECAF98 0_2_00ECAF98
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC3F9A 0_2_00EC3F9A
PE / OLE file has an invalid certificate
Source: 5GPueTFF2S.exe Static PE information: invalid certificate
Source: 5GPueTFF2S.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5GPueTFF2S.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5GPueTFF2S.exe C:\Users\user\Desktop\5GPueTFF2S.exe
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe"
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\ProgramData\75873290272674793137.exe Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe" Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe File created: C:\Users\user\AppData\Local\Temp\03bd543fce Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@31/16@0/5
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 42740063057692746811967690.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_01
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Command line argument: %GR 0_2_00EC81D0
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 5GPueTFF2S.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 5GPueTFF2S.exe Static file information: File size 1493440 > 1048576
Source: 5GPueTFF2S.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13c400
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 5GPueTFF2S.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 5GPueTFF2S.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr
Source: Binary string: C:\Yafoca\Rij\Kehiquo soja kafex.pdb source: 5GPueTFF2S.exe
Source: 5GPueTFF2S.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5GPueTFF2S.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5GPueTFF2S.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5GPueTFF2S.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5GPueTFF2S.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Unpacked PE file: 0.2.5GPueTFF2S.exe.60900000.3.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECA499 push ecx; ret 0_2_00ECA4AC
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC7D69 push ebp; iretd 0_2_00EC7D77
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC7D2E push ebp; iretd 0_2_00EC7D50
PE file contains sections with non-standard names
Source: 75873290272674793137.exe.0.dr Static PE information: section name: lB@dO\ih
Source: 75873290272674793137.exe.0.dr Static PE information: section name: Fh?jG[OJ
Source: 75873290272674793137.exe.0.dr Static PE information: section name: qNR5:WbS
Source: 75873290272674793137.exe.0.dr Static PE information: section name: z?fd8ijJ
Source: 75873290272674793137.exe.0.dr Static PE information: section name: CV?7x>JO
Source: 75873290272674793137.exe.0.dr Static PE information: section name: EVjKc_MI
Source: 75873290272674793137.exe.0.dr Static PE information: section name: dT<:EHzj
Source: 75873290272674793137.exe.0.dr Static PE information: section name: @]topACL
Source: nppshell[1].exe.0.dr Static PE information: section name: lB@dO\ih
Source: nppshell[1].exe.0.dr Static PE information: section name: Fh?jG[OJ
Source: nppshell[1].exe.0.dr Static PE information: section name: qNR5:WbS
Source: nppshell[1].exe.0.dr Static PE information: section name: z?fd8ijJ
Source: nppshell[1].exe.0.dr Static PE information: section name: CV?7x>JO
Source: nppshell[1].exe.0.dr Static PE information: section name: EVjKc_MI
Source: nppshell[1].exe.0.dr Static PE information: section name: dT<:EHzj
Source: nppshell[1].exe.0.dr Static PE information: section name: @]topACL
Source: gntuud.exe.1.dr Static PE information: section name: lB@dO\ih
Source: gntuud.exe.1.dr Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.1.dr Static PE information: section name: qNR5:WbS
Source: gntuud.exe.1.dr Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.1.dr Static PE information: section name: CV?7x>JO
Source: gntuud.exe.1.dr Static PE information: section name: EVjKc_MI
Source: gntuud.exe.1.dr Static PE information: section name: dT<:EHzj
Source: gntuud.exe.1.dr Static PE information: section name: @]topACL
Source: cred64[1].dll.7.dr Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.7.dr Static PE information: section name: zDthL)*@
Source: cred64[1].dll.7.dr Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.7.dr Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.7.dr Static PE information: section name: Z-),j99t
Source: cred64[1].dll.7.dr Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.7.dr Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.7.dr Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.7.dr Static PE information: section name: Uh%r6i!H
Source: cred64.dll.7.dr Static PE information: section name: f5g\gWe7
Source: cred64.dll.7.dr Static PE information: section name: zDthL)*@
Source: cred64.dll.7.dr Static PE information: section name: nb"h!m#Y
Source: cred64.dll.7.dr Static PE information: section name: $^+<%+dU
Source: cred64.dll.7.dr Static PE information: section name: Z-),j99t
Source: cred64.dll.7.dr Static PE information: section name: 8"ikKHD[
Source: cred64.dll.7.dr Static PE information: section name: k&l<0?<6
Source: cred64.dll.7.dr Static PE information: section name: n[uZh3ex
Source: cred64.dll.7.dr Static PE information: section name: Uh%r6i!H
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECBAFC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_00ECBAFC
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: EVjKc_MI
Source: initial sample Static PE information: section name: .text entropy: 7.993775932964981

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: 00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File created: C:\ProgramData\75873290272674793137.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nppshell[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File created: C:\ProgramData\75873290272674793137.exe Jump to dropped file
Source: C:\ProgramData\75873290272674793137.exe File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\ProgramData\75873290272674793137.exe Memory written: PID: 6132 base: 640005 value: E9 FB 99 72 77 Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Memory written: PID: 6132 base: 77D69A00 value: E9 0A 66 8D 88 Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Memory written: PID: 6132 base: 7A0007 value: E9 7B 4C 60 77 Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Memory written: PID: 6132 base: 77DA4C80 value: E9 8E B3 9F 88 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5292 base: 1030005 value: E9 FB 99 D3 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5292 base: 77D69A00 value: E9 0A 66 2C 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5292 base: 1040007 value: E9 7B 4C D6 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5292 base: 77DA4C80 value: E9 8E B3 29 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5956 base: 1290005 value: E9 FB 99 AD 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5956 base: 77D69A00 value: E9 0A 66 52 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5956 base: 2C40007 value: E9 7B 4C 16 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5956 base: 77DA4C80 value: E9 8E B3 E9 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: EF0005 value: E9 FB 99 E7 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 77D69A00 value: E9 0A 66 18 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: F00007 value: E9 7B 4C EA 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 77DA4C80 value: E9 8E B3 15 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 32C0005 value: E9 FB BF A7 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 77D3C000 value: E9 0A 40 58 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 32E0008 value: E9 AB E0 A9 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 77D7E0B0 value: E9 60 1F 56 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 58A0005 value: E9 CB 5A D3 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 775D5AD0 value: E9 3A A5 2C 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 58B0005 value: E9 5B B0 D4 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 775FB060 value: E9 AA 4F 2B 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 58C0005 value: E9 DB F8 26 6F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 74B2F8E0 value: E9 2A 07 D9 90 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 58D0005 value: E9 FB 42 28 6F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 74B54300 value: E9 0A BD D7 90 Jump to behavior
Overwrites code with function prologues
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 77D3C000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 775D5AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 775FB060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 74B2F8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 74B54300 value: 8B FF 55 8B EC Jump to behavior
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\ProgramData\75873290272674793137.exe Special instruction interceptor: First address: 00000000015B25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Special instruction interceptor: First address: 00000000006E25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\ProgramData\75873290272674793137.exe RDTSC instruction interceptor: First address: 00000000015B25FE second address: 00000000015D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F70A919E801h 0x00000008 call 00007F70A913D081h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F70A92EFF1Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe RDTSC instruction interceptor: First address: 00000000006E25FE second address: 00000000007033CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F70A8349041h 0x00000008 call 00007F70A82E78C1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F70A849A75Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000000559D526 second address: 000000000559D559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\5GPueTFF2S.exe TID: 5852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4904 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5672 Thread sleep time: -780000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5924 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4836 Thread sleep time: -2520000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5928 Thread sleep time: -1440000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4836 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5672 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_^
Source: 5GPueTFF2S.exe, 00000000.00000002.429571864.0000000008DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\ProgramData\75873290272674793137.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECA6E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00ECA6E1
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC35E0 _memset,GetProcAddress,KiUserExceptionDispatcher,CoInitialize,GetThreadUILanguage,TlsGetValue,GetSystemDefaultLangID,IsZoomed,FoldStringW,CoUninitialize,CoUninitialize,GetProcAddress,GetProcAddress,Sleep,OutputDebugStringW,SetLastError,GetLastError,GetLastError,SetLastError,GetConsoleCP,GetLastError,HeapCreate,GetProcAddress,Sleep,RtlAllocateHeap, 0_2_00EC35E0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECBAFC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_00ECBAFC
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECA6E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00ECA6E1
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECCEC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00ECCEC4
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00EC91DC SetUnhandledExceptionFilter, 0_2_00EC91DC
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECD545 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00ECD545

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.4 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 85.209.135.109 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe" Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit Jump to behavior
Source: C:\ProgramData\75873290272674793137.exe Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: GetLocaleInfoA, 0_2_00ECE8AA
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Code function: 0_2_00ECA63C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00ECA63C

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 18.2.gntuud.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.75873290272674793137.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.518241260.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.445175041.0000000000F71000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: 00000007.00000003.483002099.0000000001165000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.5GPueTFF2S.exe.a3f900.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.b070000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.a3f900.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5GPueTFF2S.exe.b070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.b070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???? Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default_wallet
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum"
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: multidoge.wallet
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\5GPueTFF2S.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.5GPueTFF2S.exe.a3f900.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.b070000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.a3f900.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5GPueTFF2S.exe.b070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.b070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764034 Sample: 5GPueTFF2S.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 7 other signatures 2->91 9 5GPueTFF2S.exe 22 2->9         started        14 gntuud.exe 2->14         started        process3 dnsIp4 61 135.181.10.220 HETZNER-ASDE Germany 9->61 63 88.119.169.157 IST-ASLT Lithuania 9->63 65 8.8.8.8 GOOGLEUS United States 9->65 55 C:\Users\user\AppData\...\nppshell[1].exe, PE32 9->55 dropped 57 C:\ProgramData\75873290272674793137.exe, PE32 9->57 dropped 101 Detected unpacking (creates a PE file in dynamic memory) 9->101 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->103 105 Self deletion via cmd or bat file 9->105 111 2 other signatures 9->111 16 75873290272674793137.exe 3 9->16         started        20 cmd.exe 1 9->20         started        107 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->107 109 Hides threads from debuggers 14->109 file5 signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 16->49 dropped 77 Multi AV Scanner detection for dropped file 16->77 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->79 81 Tries to evade analysis by execution special instruction (VM detection) 16->81 83 2 other signatures 16->83 22 gntuud.exe 17 16->22         started        27 conhost.exe 20->27         started        29 timeout.exe 1 20->29         started        signatures9 process10 dnsIp11 59 85.209.135.109 CMCSUS Germany 22->59 51 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 22->51 dropped 53 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 22->53 dropped 93 Multi AV Scanner detection for dropped file 22->93 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->95 97 Creates an undocumented autostart registry key 22->97 99 4 other signatures 22->99 31 rundll32.exe 22->31         started        35 cmd.exe 1 22->35         started        37 schtasks.exe 1 22->37         started        file12 signatures13 process14 dnsIp15 67 192.168.2.4 unknown unknown 31->67 69 System process connects to network (likely due to code injection or exploit) 31->69 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->73 75 6 other signatures 31->75 39 conhost.exe 35->39         started        41 cmd.exe 1 35->41         started        43 cacls.exe 1 35->43         started        47 4 other processes 35->47 45 conhost.exe 37->45         started        signatures16 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
 unknown United States
15169 GOOGLEUS false
135.181.10.220
 unknown Germany
24940 HETZNER-ASDE true
88.119.169.157
 unknown Lithuania
61272 IST-ASLT false
85.209.135.109
 unknown Germany
33657 CMCSUS true

Private

IP
192.168.2.4

Contacted URLs

Name Malicious Antivirus Detection Reputation
85.209.135.109/jg94cVd30f/index.php true
  • Avira URL Cloud: safe
 low
https://t.me/vmt001 false
    		high
    http://135.181.10.220:80 true
    • Avira URL Cloud: safe
    		 unknown