Windows Analysis Report
dh58NtARpk.exe

Overview

General Information

Sample Name: dh58NtARpk.exe
Original Sample Name: 2032b7d145fe0f407b98c2a48062ee79.exe
Analysis ID: 829682
MD5: 2032b7d145fe0f407b98c2a48062ee79
SHA1: b418b3306c7335b9ae886c1adb9082a902c232a8
SHA256: 34f97fa022bcab02aa6d9304a871bf226edc4050fe66ab334d33f1d3f59e0911
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: dh58NtARpk.exe ReversingLabs: Detection: 69%
Source: dh58NtARpk.exe Virustotal: Detection: 55% Perma Link
Antivirus / Scanner detection for submitted sample
Source: dh58NtARpk.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: dh58NtARpk.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe Joe Sandbox ML: detected
Source: 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00BE2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 1_2_00CC2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 2_2_00BC2F1D

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Unpacked PE file: 5.2.h27pP32.exe.400000.0.unpack
Uses 32bit PE files
Source: dh58NtARpk.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: dh58NtARpk.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
Source: Binary string: Healer.pdb source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, f6228Ih.exe, 00000003.00000000.239784677.0000000000162000.00000002.00000001.01000000.00000006.sdmp, f6228Ih.exe.2.dr
Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000000.266171659.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h27pP32.exe.2.dr
Source: Binary string: _.pdb source: h27pP32.exe, 00000005.00000002.304543261.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.281688316.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
Source: Binary string: Healer.pdbH5 source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00BE2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_00CC2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00BC2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 193.233.20.28:4125
Source: dh58NtARpk.exe, 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp, l91ip55.exe.0.dr String found in binary or memory: https://api.ip.sb/ip

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Uses 32bit PE files
Source: dh58NtARpk.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00BE1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_00CC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00BC1F90
Detected potential crypto function
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE3BA2 0_2_00BE3BA2
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE5C9E 0_2_00BE5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC3BA2 1_2_00CC3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC5C9E 1_2_00CC5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC3BA2 2_2_00BC3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC5C9E 2_2_00BC5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00408C60 5_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0040DC11 5_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00407C3F 5_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00418CCC 5_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00406CA0 5_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004028B0 5_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0041A4BE 5_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00418244 5_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00401650 5_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00402F20 5_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004193C4 5_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00418788 5_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00402F89 5_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00402B90 5_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004073A0 5_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044F84AB 5_2_044F84AB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E2DF7 5_2_044E2DF7
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044EDE78 5_2_044EDE78
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E8EC7 5_2_044E8EC7
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E7EA6 5_2_044E7EA6
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E6F07 5_2_044E6F07
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044FA725 5_2_044FA725
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044F8F33 5_2_044F8F33
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E77D9 5_2_044E77D9
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E786D 5_2_044E786D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E18B7 5_2_044E18B7
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044F89EF 5_2_044F89EF
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E31F0 5_2_044E31F0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E3187 5_2_044E3187
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E2B17 5_2_044E2B17
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_04A20DB0 5_2_04A20DB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: String function: 044EE43F appears 44 times
PE file contains executable resources (Code or Archives)
Source: dh58NtARpk.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 711755 bytes, 2 files, at 0x2c +A "niba6381.exe" +A "l91ip55.exe", ID 1893, number 1, 28 datablocks, 0x1503 compression
Source: niba6381.exe.0.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 566313 bytes, 2 files, at 0x2c +A "niba7464.exe" +A "iycPo61.exe", ID 1978, number 1, 24 datablocks, 0x1503 compression
Source: niba7464.exe.1.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 206918 bytes, 2 files, at 0x2c +A "f6228Ih.exe" +A "h27pP32.exe", ID 1727, number 1, 11 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: dh58NtARpk.exe, 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs dh58NtARpk.exe
Source: dh58NtARpk.exe, 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWearing.exe< vs dh58NtARpk.exe
Source: dh58NtARpk.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs dh58NtARpk.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe B182F2D3D49BDDA2E29A0ED312DEEF4BEE03983DE54080C5E97AD6422DE192D2
Source: iycPo61.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: h27pP32.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dh58NtARpk.exe ReversingLabs: Detection: 69%
Source: dh58NtARpk.exe Virustotal: Detection: 55%
Source: dh58NtARpk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dh58NtARpk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dh58NtARpk.exe C:\Users\user\Desktop\dh58NtARpk.exe
Source: C:\Users\user\Desktop\dh58NtARpk.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\
Source: C:\Users\user\Desktop\dh58NtARpk.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Jump to behavior
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00BE1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_00CC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00BC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f6228Ih.exe.log Jump to behavior
Source: C:\Users\user\Desktop\dh58NtARpk.exe File created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/8@0/0
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00BE597D
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA, 0_2_00BE3FEF
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Code function: 3_2_00007FFDC4411B10 ChangeServiceConfigA, 3_2_00007FFDC4411B10
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, 0_2_00BE4FE0
Source: C:\Users\user\Desktop\dh58NtARpk.exe Command line argument: Kernel32.dll 0_2_00BE2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Command line argument: Kernel32.dll 1_2_00CC2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Command line argument: Kernel32.dll 2_2_00BC2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Command line argument: 08A 5_2_00413780
Source: C:\Users\user\Desktop\dh58NtARpk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dh58NtARpk.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: dh58NtARpk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
Source: Binary string: Healer.pdb source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, f6228Ih.exe, 00000003.00000000.239784677.0000000000162000.00000002.00000001.01000000.00000006.sdmp, f6228Ih.exe.2.dr
Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000000.266171659.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h27pP32.exe.2.dr
Source: Binary string: _.pdb source: h27pP32.exe, 00000005.00000002.304543261.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.281688316.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
Source: Binary string: Healer.pdbH5 source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Unpacked PE file: 5.2.h27pP32.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Unpacked PE file: 5.2.h27pP32.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE724D push ecx; ret 0_2_00BE7260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC724D push ecx; ret 1_2_00CC7260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC724D push ecx; ret 2_2_00BC7260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00423149 push eax; ret 5_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004231C8 push eax; ret 5_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0040E21D push ecx; ret 5_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044EE484 push ecx; ret 5_2_044EE497
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044FBE73 push cs; iretd 5_2_044FBF49
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044FBF75 push cs; iretd 5_2_044FBF49
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044FC125 push ebx; ret 5_2_044FC126
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_04A24139 push edi; iretd 5_2_04A2414E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_04A2454E push ecx; retf 5_2_04A24554
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00BE202A
Binary contains a suspicious time stamp
Source: l91ip55.exe.0.dr Static PE information: 0xD1DEA1A2 [Tue Jul 29 15:28:34 2081 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.842085736950787
Source: initial sample Static PE information: section name: .text entropy: 7.7554731967823
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Jump to dropped file
Source: C:\Users\user\Desktop\dh58NtARpk.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Jump to dropped file
Source: C:\Users\user\Desktop\dh58NtARpk.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Jump to dropped file
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00BE1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 1_2_00CC1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 2_2_00BC1AE8
Source: C:\Users\user\Desktop\dh58NtARpk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe TID: 5868 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe TID: 6132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\dh58NtARpk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exe Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\dh58NtARpk.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00BE5467
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00BE2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_00CC2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00BC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00BE202A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0040ADB0 GetProcessHeap,HeapFree, 5_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E092B mov eax, dword ptr fs:[00000030h] 5_2_044E092B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044E0D90 mov eax, dword ptr fs:[00000030h] 5_2_044E0D90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE6F40 SetUnhandledExceptionFilter, 0_2_00BE6F40
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BE6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC6F40 SetUnhandledExceptionFilter, 1_2_00CC6F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe Code function: 1_2_00CC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00CC6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC6F40 SetUnhandledExceptionFilter, 2_2_00BC6F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe Code function: 2_2_00BC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00BC6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_004123F1 SetUnhandledExceptionFilter, 5_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044F2658 SetUnhandledExceptionFilter, 5_2_044F2658
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044ED070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_044ED070
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044EE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_044EE883
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: 5_2_044F71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_044F71D1
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE18A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_00BE18A3
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: GetLocaleInfoA, 5_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Code function: GetLocaleInfoA, 5_2_044F7C87
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00BE7155
Source: C:\Users\user\Desktop\dh58NtARpk.exe Code function: 0_2_00BE2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00BE2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Code function: 3_2_00007FFDC441077D GetUserNameA, 3_2_00007FFDC441077D

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 Jump to behavior
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829682 Sample: dh58NtARpk.exe Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 6 other signatures 2->48 8 dh58NtARpk.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 38 C:\Users\user\AppData\Local\...\niba6381.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\l91ip55.exe, PE32 8->40 dropped 17 niba6381.exe 1 4 8->17         started        process5 file6 30 C:\Users\user\AppData\Local\...\niba7464.exe, PE32 17->30 dropped 32 C:\Users\user\AppData\Local\...\iycPo61.exe, PE32 17->32 dropped 50 Multi AV Scanner detection for dropped file 17->50 52 Machine Learning detection for dropped file 17->52 21 niba7464.exe 1 4 17->21         started        signatures7 process8 file9 34 C:\Users\user\AppData\Local\...\h27pP32.exe, PE32 21->34 dropped 36 C:\Users\user\AppData\Local\...\f6228Ih.exe, PE32 21->36 dropped 54 Multi AV Scanner detection for dropped file 21->54 56 Machine Learning detection for dropped file 21->56 25 h27pP32.exe 1 1 21->25         started        28 f6228Ih.exe 9 1 21->28         started        signatures10 process11 signatures12 58 Multi AV Scanner detection for dropped file 25->58 60 Detected unpacking (changes PE section rights) 25->60 62 Detected unpacking (overwrites its own PE header) 25->62 64 Machine Learning detection for dropped file 28->64 66 Disable Windows Defender notifications (registry) 28->66 68 Disable Windows Defender real time protection (registry) 28->68
No contacted IP infos

Contacted Domains

Name IP Active
windowsupdatebg.s.llnwi.net 95.140.230.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
193.233.20.28:4125 true
  • URL Reputation: safe
 unknown