Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plEnknXWQD.exe

Overview

General Information

Sample Name:plEnknXWQD.exe
Original Sample Name:548ee02a30c2dcca5f3f91e90212ec29.exe
Analysis ID:829681
MD5:548ee02a30c2dcca5f3f91e90212ec29
SHA1:cff21359a3498e3f3e8def5c553a626363b49922
SHA256:3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e
Tags:exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • plEnknXWQD.exe (PID: 5516 cmdline: C:\Users\user\Desktop\plEnknXWQD.exe MD5: 548EE02A30C2DCCA5F3F91E90212EC29)
    • will6283.exe (PID: 5504 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe MD5: 52B9E7C5A314A3E0BD0AF989586DE77B)
      • will3629.exe (PID: 5480 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe MD5: 7543D15869BB6AF00305F1C7BA4F6B49)
        • will3971.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe MD5: 941C83F4C8AD9D1112BFC556CFA74167)
          • mx8896IL.exe (PID: 5584 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)
          • ns5251Ks.exe (PID: 5660 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe MD5: 79CBBF32E2376C4CADB2DFAD0ED320FA)
  • rundll32.exe (PID: 5612 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 1348 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 5284 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 1008 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1a440:$pat14: , CommandLine:
    • 0x134ad:$v2_1: ListOfProcesses
    • 0x1328c:$v4_3: base64str
    • 0x13e05:$v4_4: stringKey
    • 0x11b63:$v4_5: BytesToStringConverted
    • 0x10d76:$v4_6: FromBase64
    • 0x12098:$v4_8: procName
    • 0x12814:$v5_5: FileScanning
    • 0x11d6c:$v5_7: RecordHeaderField
    • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
    C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1738:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.ns5251Ks.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            6.2.ns5251Ks.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            6.3.ns5251Ks.exe.2c20000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              6.3.ns5251Ks.exe.2c20000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              6.2.ns5251Ks.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 9 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: plEnknXWQD.exeReversingLabs: Detection: 66%
                Source: plEnknXWQD.exeVirustotal: Detection: 52%Perma Link
                Antivirus / Scanner detection for submitted sample
                Source: plEnknXWQD.exeAvira: detected
                Multi AV Scanner detection for domain / URL
                Source: 62.204.41.87/joomla/index.phpVirustotal: Detection: 13%Perma Link
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exeReversingLabs: Detection: 83%
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exeVirustotal: Detection: 84%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeReversingLabs: Detection: 70%
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeVirustotal: Detection: 55%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exeReversingLabs: Detection: 72%
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exeVirustotal: Detection: 76%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeReversingLabs: Detection: 64%
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeVirustotal: Detection: 55%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exeReversingLabs: Detection: 45%
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exeVirustotal: Detection: 50%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeReversingLabs: Detection: 64%
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exeReversingLabs: Detection: 88%
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeReversingLabs: Detection: 46%
                Machine Learning detection for sample
                Source: plEnknXWQD.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exeJoe Sandbox ML: detected
                Source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"}
                Source: 0.3.plEnknXWQD.exe.49d9220.0.unpackMalware Configuration Extractor: Amadey {"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"}
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00382F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00382F1D
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_01062F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_01062F1D
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,2_2_00AC2F1D
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,3_2_002F2F1D

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeUnpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack
                Source: plEnknXWQD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: plEnknXWQD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: wextract.pdb source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
                Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, ry40VI69.exe.0.dr
                Source: Binary string: Healer.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wextract.pdbGCTL source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
                Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
                Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, mx8896IL.exe, 00000004.00000000.310427980.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, mx8896IL.exe.3.dr
                Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000000.335153117.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, ns5251Ks.exe.3.dr
                Source: Binary string: _.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000003.346539295.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369340692.0000000002E81000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
                Source: Binary string: Healer.pdbH5 source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00382390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00382390
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_01062390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_01062390
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00AC2390
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_002F2390

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 62.204.41.87/joomla/index.php
                Source: Malware configuration extractorURLs: 193.233.20.30:4125
                Source: will6283.exe, 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, qs5212ER.exe.1.drString found in binary or memory: https://api.ip.sb/ip
                Source: ns5251Ks.exe, 00000006.00000002.369263476.0000000002DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: plEnknXWQD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00381F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00381F90
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_01061F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_01061F90
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00AC1F90
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,3_2_002F1F90
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00383BA20_2_00383BA2
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00385C9E0_2_00385C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_01063BA21_2_01063BA2
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_01065C9E1_2_01065C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC3BA22_2_00AC3BA2
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC5C9E2_2_00AC5C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F3BA23_2_002F3BA2
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F5C9E3_2_002F5C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00408C606_2_00408C60
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_0040DC116_2_0040DC11
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00407C3F6_2_00407C3F
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00418CCC6_2_00418CCC
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00406CA06_2_00406CA0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004028B06_2_004028B0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_0041A4BE6_2_0041A4BE
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004182446_2_00418244
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004016506_2_00401650
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00402F206_2_00402F20
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004193C46_2_004193C4
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004187886_2_00418788
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00402F896_2_00402F89
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00402B906_2_00402B90
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004073A06_2_004073A0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_02DC0DB06_2_02DC0DB0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: String function: 0040E1D8 appears 44 times
                Source: plEnknXWQD.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 907046 bytes, 2 files, at 0x2c +A "will6283.exe" +A "ry40VI69.exe", ID 1992, number 1, 34 datablocks, 0x1503 compression
                Source: will6283.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 716290 bytes, 2 files, at 0x2c +A "will3629.exe" +A "qs5212ER.exe", ID 1969, number 1, 28 datablocks, 0x1503 compression
                Source: will3629.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 567826 bytes, 2 files, at 0x2c +A "will3971.exe" +A "py81WM70.exe", ID 1993, number 1, 24 datablocks, 0x1503 compression
                Source: will3971.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205746 bytes, 2 files, at 0x2c +A "mx8896IL.exe" +A "ns5251Ks.exe", ID 1957, number 1, 11 datablocks, 0x1503 compression
                Source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs plEnknXWQD.exe
                Source: plEnknXWQD.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs plEnknXWQD.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe 42873B0C5899F64B5F3205A4F3146210CC63152E529C69D6292B037844C81EC4
                Source: py81WM70.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ns5251Ks.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: plEnknXWQD.exeReversingLabs: Detection: 66%
                Source: plEnknXWQD.exeVirustotal: Detection: 52%
                Source: plEnknXWQD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\plEnknXWQD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\plEnknXWQD.exe C:\Users\user\Desktop\plEnknXWQD.exe
                Source: C:\Users\user\Desktop\plEnknXWQD.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                Source: C:\Users\user\Desktop\plEnknXWQD.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeJump to behavior
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00381F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00381F90
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_01061F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_01061F90
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00AC1F90
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,3_2_002F1F90
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mx8896IL.exe.logJump to behavior
                Source: C:\Users\user\Desktop\plEnknXWQD.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/10@0/0
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_0038597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0038597D
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_0038597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0038597D
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exeCode function: 4_2_00007FF9A56C1B10 ChangeServiceConfigA,4_2_00007FF9A56C1B10
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_00384FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_00384FE0
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCommand line argument: Kernel32.dll0_2_00382BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCommand line argument: Kernel32.dll1_2_01062BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCommand line argument: Kernel32.dll2_2_00AC2BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCommand line argument: Kernel32.dll3_2_002F2BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCommand line argument: 08A6_2_00413780
                Source: C:\Users\user\Desktop\plEnknXWQD.exeAutomated click: OK
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeAutomated click: OK
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeAutomated click: OK
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: plEnknXWQD.exeStatic file information: File size 1063936 > 1048576
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: plEnknXWQD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: plEnknXWQD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wextract.pdb source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
                Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, ry40VI69.exe.0.dr
                Source: Binary string: Healer.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wextract.pdbGCTL source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
                Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
                Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, mx8896IL.exe, 00000004.00000000.310427980.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, mx8896IL.exe.3.dr
                Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000000.335153117.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, ns5251Ks.exe.3.dr
                Source: Binary string: _.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000003.346539295.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369340692.0000000002E81000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
                Source: Binary string: Healer.pdbH5 source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeUnpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeUnpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Source: C:\Users\user\Desktop\plEnknXWQD.exeCode function: 0_2_0038724D push ecx; ret 0_2_00387260
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exeCode function: 1_2_0106724D push ecx; ret 1_2_01067260
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exeCode function: 2_2_00AC724D push ecx; ret 2_2_00AC7260
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exeCode function: 3_2_002F724D push ecx; ret 3_2_002F7260
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
                Source: <