Windows Analysis Report
pYHrqNhFKr.exe

Overview

General Information

Sample Name: pYHrqNhFKr.exe
Original Sample Name: 65cab4a566b172d984c8f8ebfdbdfea0.exe
Analysis ID: 829683
MD5: 65cab4a566b172d984c8f8ebfdbdfea0
SHA1: 5628ef015cc37598a43b0f032b1ef91ad7f24934
SHA256: 4700abbc439afe49697e67333bf6d3fcb04b73d73f44b40f68ed20a1e4812a8b
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: pYHrqNhFKr.exe ReversingLabs: Detection: 69%
Source: pYHrqNhFKr.exe Virustotal: Detection: 50% Perma Link
Antivirus / Scanner detection for submitted sample
Source: pYHrqNhFKr.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe Virustotal: Detection: 81% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Virustotal: Detection: 56% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe Virustotal: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Virustotal: Detection: 53% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe ReversingLabs: Detection: 46%
Machine Learning detection for sample
Source: pYHrqNhFKr.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe Joe Sandbox ML: detected
Source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_008A2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00072F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 1_2_00072F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01252F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 2_2_01252F1D

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack
Uses 32bit PE files
Source: pYHrqNhFKr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: pYHrqNhFKr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source: Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr
Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr
Source: Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source: Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_008A2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_00072390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_01252390

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 193.233.20.28:4125
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, l64fQ59.exe.0.dr String found in binary or memory: https://api.ip.sb/ip
Creates a DirectInput object (often for capturing keystrokes)
Source: h99af07.exe, 00000005.00000002.307016604.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Uses 32bit PE files
Source: pYHrqNhFKr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_008A1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_00071F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_01251F90
Detected potential crypto function
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A3BA2 0_2_008A3BA2
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A5C9E 0_2_008A5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00073BA2 1_2_00073BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00075C9E 1_2_00075C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01253BA2 2_2_01253BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01255C9E 2_2_01255C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00408C60 5_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0040DC11 5_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00407C3F 5_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00418CCC 5_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00406CA0 5_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004028B0 5_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0041A4BE 5_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00418244 5_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00401650 5_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00402F20 5_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004193C4 5_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00418788 5_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00402F89 5_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00402B90 5_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004073A0 5_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_045E0DB0 5_2_045E0DB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: String function: 0040E1D8 appears 44 times
PE file contains executable resources (Code or Archives)
Source: pYHrqNhFKr.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 710141 bytes, 2 files, at 0x2c +A "niba6073.exe" +A "l64fQ59.exe", ID 1861, number 1, 28 datablocks, 0x1503 compression
Source: niba6073.exe.0.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 564865 bytes, 2 files, at 0x2c +A "niba2214.exe" +A "imYkV36.exe", ID 1948, number 1, 23 datablocks, 0x1503 compression
Source: niba2214.exe.1.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205776 bytes, 2 files, at 0x2c +A "f7051zI.exe" +A "h99af07.exe", ID 1758, number 1, 11 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: pYHrqNhFKr.exe, 00000000.00000003.241408245.000000000300D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe
Source: pYHrqNhFKr.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe B182F2D3D49BDDA2E29A0ED312DEEF4BEE03983DE54080C5E97AD6422DE192D2
Source: imYkV36.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: h99af07.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pYHrqNhFKr.exe ReversingLabs: Detection: 69%
Source: pYHrqNhFKr.exe Virustotal: Detection: 50%
Source: pYHrqNhFKr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\pYHrqNhFKr.exe C:\Users\user\Desktop\pYHrqNhFKr.exe
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Jump to behavior
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_008A1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_00071F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_01251F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7051zI.exe.log Jump to behavior
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/8@0/0
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_008A597D
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA, 0_2_008A3FEF
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Code function: 3_2_00007FFC9DD11B10 ChangeServiceConfigA, 3_2_00007FFC9DD11B10
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, 0_2_008A4FE0
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Command line argument: Kernel32.dll 0_2_008A2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Command line argument: Kernel32.dll 1_2_00072BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Command line argument: Kernel32.dll 2_2_01252BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Command line argument: 08A 5_2_00413780
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pYHrqNhFKr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: pYHrqNhFKr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source: Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr
Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr
Source: Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source: Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A724D push ecx; ret 0_2_008A7260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_0007724D push ecx; ret 1_2_00077260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_0125724D push ecx; ret 2_2_01257260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00423149 push eax; ret 5_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00422D28 push ss; ret 5_2_00422D3A
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004231C8 push eax; ret 5_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0040E21D push ecx; ret 5_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_02E9C693 push edi; retf 5_2_02E9C694
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_02E99748 push FFFFFFE1h; ret 5_2_02E99757
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_045E454E push ecx; retf 5_2_045E4554
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_045E4139 push edi; iretd 5_2_045E414E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_008A2F1D
Binary contains a suspicious time stamp
Source: l64fQ59.exe.0.dr Static PE information: 0xD1DEA1A2 [Tue Jul 29 15:28:34 2081 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.842085736950787
Source: initial sample Static PE information: section name: .text entropy: 7.7554731967823
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_008A1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00071AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 1_2_00071AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01251AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 2_2_01251AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe TID: 5184 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe TID: 2512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_008A5467
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_008A2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_00072390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_01252390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_008A2F1D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0040ADB0 GetProcessHeap,HeapFree, 5_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_02E97C33 push dword ptr fs:[00000030h] 5_2_02E97C33
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A6F40 SetUnhandledExceptionFilter, 0_2_008A6F40
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_008A6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00076F40 SetUnhandledExceptionFilter, 1_2_00076F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe Code function: 1_2_00076CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00076CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01256F40 SetUnhandledExceptionFilter, 2_2_01256F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe Code function: 2_2_01256CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_01256CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: 5_2_004123F1 SetUnhandledExceptionFilter, 5_2_004123F1
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A18A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_008A18A3
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Code function: GetLocaleInfoA, 5_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_008A7155
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe Code function: 0_2_008A2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_008A2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Code function: 3_2_00007FFC9DD1077D GetUserNameA, 3_2_00007FFC9DD1077D

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 Jump to behavior
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829683 Sample: pYHrqNhFKr.exe Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 6 other signatures 2->48 8 pYHrqNhFKr.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 38 C:\Users\user\AppData\Local\...\niba6073.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\l64fQ59.exe, PE32 8->40 dropped 17 niba6073.exe 1 4 8->17         started        process5 file6 30 C:\Users\user\AppData\Local\...\niba2214.exe, PE32 17->30 dropped 32 C:\Users\user\AppData\Local\...\imYkV36.exe, PE32 17->32 dropped 50 Multi AV Scanner detection for dropped file 17->50 52 Machine Learning detection for dropped file 17->52 21 niba2214.exe 1 4 17->21         started        signatures7 process8 file9 34 C:\Users\user\AppData\Local\...\h99af07.exe, PE32 21->34 dropped 36 C:\Users\user\AppData\Local\...\f7051zI.exe, PE32 21->36 dropped 54 Multi AV Scanner detection for dropped file 21->54 56 Machine Learning detection for dropped file 21->56 25 h99af07.exe 1 1 21->25         started        28 f7051zI.exe 9 1 21->28         started        signatures10 process11 signatures12 58 Multi AV Scanner detection for dropped file 25->58 60 Detected unpacking (changes PE section rights) 25->60 62 Detected unpacking (overwrites its own PE header) 25->62 64 Machine Learning detection for dropped file 28->64 66 Disable Windows Defender notifications (registry) 28->66 68 Disable Windows Defender real time protection (registry) 28->68
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
193.233.20.28:4125 true
  • URL Reputation: safe
 unknown