Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dh58NtARpk.exe

Overview

General Information

Sample Name:dh58NtARpk.exe
Original Sample Name:2032b7d145fe0f407b98c2a48062ee79.exe
Analysis ID:829682
MD5:2032b7d145fe0f407b98c2a48062ee79
SHA1:b418b3306c7335b9ae886c1adb9082a902c232a8
SHA256:34f97fa022bcab02aa6d9304a871bf226edc4050fe66ab334d33f1d3f59e0911
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • dh58NtARpk.exe (PID: 5768 cmdline: C:\Users\user\Desktop\dh58NtARpk.exe MD5: 2032B7D145FE0F407B98C2A48062EE79)
    • niba6381.exe (PID: 5784 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exe MD5: E932D020D5BCC91C42D7895B0C015B9F)
      • niba7464.exe (PID: 5820 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exe MD5: F3CABEEFAC76CD6579D2F50C697BE89E)
        • f6228Ih.exe (PID: 5844 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)
        • h27pP32.exe (PID: 6028 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe MD5: D8B9F9B9746A572D47B8CF13539512F6)
  • rundll32.exe (PID: 5876 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 6100 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 4800 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1a430:$pat14: , CommandLine:
    • 0x134a7:$v2_1: ListOfProcesses
    • 0x13286:$v4_3: base64str
    • 0x13dff:$v4_4: stringKey
    • 0x11b63:$v4_5: BytesToStringConverted
    • 0x10d76:$v4_6: FromBase64
    • 0x12098:$v4_8: procName
    • 0x12811:$v5_5: FileScanning
    • 0x11d6c:$v5_7: RecordHeaderField
    • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1760:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.3.h27pP32.exe.4530000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          5.3.h27pP32.exe.4530000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          0.3.dh58NtARpk.exe.524f020.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0.3.dh58NtARpk.exe.524f020.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1a430:$pat14: , CommandLine:
            • 0x134a7:$v2_1: ListOfProcesses
            • 0x13286:$v4_3: base64str
            • 0x13dff:$v4_4: stringKey
            • 0x11b63:$v4_5: BytesToStringConverted
            • 0x10d76:$v4_6: FromBase64
            • 0x12098:$v4_8: procName
            • 0x12811:$v5_5: FileScanning
            • 0x11d6c:$v5_7: RecordHeaderField
            • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
            0.3.dh58NtARpk.exe.524f020.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 7 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: dh58NtARpk.exeReversingLabs: Detection: 69%
              Source: dh58NtARpk.exeVirustotal: Detection: 55%Perma Link
              Antivirus / Scanner detection for submitted sample
              Source: dh58NtARpk.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exeReversingLabs: Detection: 87%
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeReversingLabs: Detection: 61%
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exeReversingLabs: Detection: 48%
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeReversingLabs: Detection: 58%
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeReversingLabs: Detection: 88%
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeReversingLabs: Detection: 48%
              Machine Learning detection for sample
              Source: dh58NtARpk.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exeJoe Sandbox ML: detected
              Source: 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00BE2F1D
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_00CC2F1D
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,2_2_00BC2F1D

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeUnpacked PE file: 5.2.h27pP32.exe.400000.0.unpack
              Source: dh58NtARpk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: dh58NtARpk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: wextract.pdb source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
              Source: Binary string: Healer.pdb source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wextract.pdbGCTL source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
              Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
              Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, f6228Ih.exe, 00000003.00000000.239784677.0000000000162000.00000002.00000001.01000000.00000006.sdmp, f6228Ih.exe.2.dr
              Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000000.266171659.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h27pP32.exe.2.dr
              Source: Binary string: _.pdb source: h27pP32.exe, 00000005.00000002.304543261.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.281688316.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
              Source: Binary string: Healer.pdbH5 source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00BE2390
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00CC2390
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00BC2390
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile opened: C:\Users\user~1\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile opened: C:\Users\user~1\AppData\Jump to behavior

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 193.233.20.28:4125
              Source: dh58NtARpk.exe, 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp, l91ip55.exe.0.drString found in binary or memory: https://api.ip.sb/ip

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: dh58NtARpk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00BE1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00CC1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00BC1F90
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE3BA20_2_00BE3BA2
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE5C9E0_2_00BE5C9E
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC3BA21_2_00CC3BA2
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC5C9E1_2_00CC5C9E
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC3BA22_2_00BC3BA2
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC5C9E2_2_00BC5C9E
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00408C605_2_00408C60
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_0040DC115_2_0040DC11
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00407C3F5_2_00407C3F
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00418CCC5_2_00418CCC
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00406CA05_2_00406CA0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004028B05_2_004028B0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_0041A4BE5_2_0041A4BE
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004182445_2_00418244
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004016505_2_00401650
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00402F205_2_00402F20
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004193C45_2_004193C4
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004187885_2_00418788
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00402F895_2_00402F89
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00402B905_2_00402B90
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004073A05_2_004073A0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044F84AB5_2_044F84AB
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E2DF75_2_044E2DF7
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044EDE785_2_044EDE78
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E8EC75_2_044E8EC7
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E7EA65_2_044E7EA6
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E6F075_2_044E6F07
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044FA7255_2_044FA725
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044F8F335_2_044F8F33
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E77D95_2_044E77D9
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E786D5_2_044E786D
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E18B75_2_044E18B7
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044F89EF5_2_044F89EF
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E31F05_2_044E31F0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E31875_2_044E3187
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044E2B175_2_044E2B17
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_04A20DB05_2_04A20DB0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: String function: 0040E1D8 appears 44 times
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: String function: 044EE43F appears 44 times
              Source: dh58NtARpk.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 711755 bytes, 2 files, at 0x2c +A "niba6381.exe" +A "l91ip55.exe", ID 1893, number 1, 28 datablocks, 0x1503 compression
              Source: niba6381.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 566313 bytes, 2 files, at 0x2c +A "niba7464.exe" +A "iycPo61.exe", ID 1978, number 1, 24 datablocks, 0x1503 compression
              Source: niba7464.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 206918 bytes, 2 files, at 0x2c +A "f6228Ih.exe" +A "h27pP32.exe", ID 1727, number 1, 11 datablocks, 0x1503 compression
              Source: dh58NtARpk.exe, 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs dh58NtARpk.exe
              Source: dh58NtARpk.exe, 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWearing.exe< vs dh58NtARpk.exe
              Source: dh58NtARpk.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs dh58NtARpk.exe
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe B182F2D3D49BDDA2E29A0ED312DEEF4BEE03983DE54080C5E97AD6422DE192D2
              Source: iycPo61.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: h27pP32.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: dh58NtARpk.exeReversingLabs: Detection: 69%
              Source: dh58NtARpk.exeVirustotal: Detection: 55%
              Source: dh58NtARpk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\dh58NtARpk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\dh58NtARpk.exe C:\Users\user\Desktop\dh58NtARpk.exe
              Source: C:\Users\user\Desktop\dh58NtARpk.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exe
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exe
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\
              Source: C:\Users\user\Desktop\dh58NtARpk.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exeJump to behavior
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00BE1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00CC1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00BC1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f6228Ih.exe.logJump to behavior
              Source: C:\Users\user\Desktop\dh58NtARpk.exeFile created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMPJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@0/0
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00BE597D
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_00BE3FEF
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeCode function: 3_2_00007FFDC4411B10 ChangeServiceConfigA,3_2_00007FFDC4411B10
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_00BE4FE0
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCommand line argument: Kernel32.dll0_2_00BE2BFB
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCommand line argument: Kernel32.dll1_2_00CC2BFB
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCommand line argument: Kernel32.dll2_2_00BC2BFB
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCommand line argument: 08A5_2_00413780
              Source: C:\Users\user\Desktop\dh58NtARpk.exeAutomated click: OK
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeAutomated click: OK
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: dh58NtARpk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: dh58NtARpk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wextract.pdb source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
              Source: Binary string: Healer.pdb source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wextract.pdbGCTL source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr
              Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
              Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, f6228Ih.exe, 00000003.00000000.239784677.0000000000162000.00000002.00000001.01000000.00000006.sdmp, f6228Ih.exe.2.dr
              Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000000.266171659.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h27pP32.exe.2.dr
              Source: Binary string: _.pdb source: h27pP32.exe, 00000005.00000002.304543261.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.281688316.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr
              Source: Binary string: Healer.pdbH5 source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeUnpacked PE file: 5.2.h27pP32.exe.400000.0.unpack
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeUnpacked PE file: 5.2.h27pP32.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE724D push ecx; ret 0_2_00BE7260
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC724D push ecx; ret 1_2_00CC7260
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC724D push ecx; ret 2_2_00BC7260
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_00423149 push eax; ret 5_2_00423179
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_004231C8 push eax; ret 5_2_00423179
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_0040E21D push ecx; ret 5_2_0040E230
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044EE484 push ecx; ret 5_2_044EE497
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044FBE73 push cs; iretd 5_2_044FBF49
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044FBF75 push cs; iretd 5_2_044FBF49
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_044FC125 push ebx; ret 5_2_044FC126
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_04A24139 push edi; iretd 5_2_04A2414E
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeCode function: 5_2_04A2454E push ecx; retf 5_2_04A24554
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00BE202A
              Source: l91ip55.exe.0.drStatic PE information: 0xD1DEA1A2 [Tue Jul 29 15:28:34 2081 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.842085736950787
              Source: initial sampleStatic PE information: section name: .text entropy: 7.7554731967823
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeJump to dropped file
              Source: C:\Users\user\Desktop\dh58NtARpk.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeJump to dropped file
              Source: C:\Users\user\Desktop\dh58NtARpk.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exeJump to dropped file
              Source: C:\Users\user\Desktop\dh58NtARpk.exeCode function: 0_2_00BE1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00BE1AE8
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exeCode function: 1_2_00CC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,1_2_00CC1AE8
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exeCode function: 2_2_00BC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,2_2_00BC1AE8