Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d3HccaLUT7.exe

Overview

General Information

Sample Name:d3HccaLUT7.exe
Original Sample Name:d226c85940774672726af5fb360fc1de.exe
Analysis ID:829684
MD5:d226c85940774672726af5fb360fc1de
SHA1:ed5fdad6f3c74fdfb5387668235100f48ba6a232
SHA256:113b3ee1d70fe7111ea748cad0ec0f8f560d9003474d2bacaea6650fc961ddf7
Tags:exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • d3HccaLUT7.exe (PID: 6356 cmdline: C:\Users\user\Desktop\d3HccaLUT7.exe MD5: D226C85940774672726AF5FB360FC1DE)
    • kino0095.exe (PID: 6372 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe MD5: 566C1099548DF136503F4DC814D54B17)
      • kino2456.exe (PID: 6392 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe MD5: EBD95183957BECDB18025FC9D553B15E)
        • kino0588.exe (PID: 6412 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe MD5: 54A8FD200F50B6AF0F10CA6EB68471D3)
          • bus9402.exe (PID: 6428 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)
          • con1332.exe (PID: 6616 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe MD5: 0B63FCA2981CA840B845011956E212AD)
  • rundll32.exe (PID: 6492 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 6644 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 6684 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 6792 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1a434:$pat14: , CommandLine:
      • 0x134a7:$v2_1: ListOfProcesses
      • 0x13286:$v4_3: base64str
      • 0x13dff:$v4_4: stringKey
      • 0x11b63:$v4_5: BytesToStringConverted
      • 0x10d76:$v4_6: FromBase64
      • 0x12098:$v4_8: procName
      • 0x12811:$v5_5: FileScanning
      • 0x11d6c:$v5_7: RecordHeaderField
      • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1690:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.con1332.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            6.2.con1332.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            6.2.con1332.exe.2c20e67.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              6.2.con1332.exe.2c20e67.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              1.3.kino0095.exe.5160220.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 9 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: d3HccaLUT7.exeVirustotal: Detection: 46%Perma Link
                Source: d3HccaLUT7.exeReversingLabs: Detection: 41%
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeReversingLabs: Detection: 63%
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeVirustotal: Detection: 79%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeVirustotal: Detection: 57%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeReversingLabs: Detection: 87%
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeReversingLabs: Detection: 88%
                Machine Learning detection for sample
                Source: d3HccaLUT7.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeJoe Sandbox ML: detected
                Source: 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}
                Source: 0.3.d3HccaLUT7.exe.7068a20.1.unpackMalware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00402F1D
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_00302F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_00302F1D
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,2_2_00FC2F1D
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,3_2_00B82F1D

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeUnpacked PE file: 0.2.d3HccaLUT7.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeUnpacked PE file: 6.2.con1332.exe.400000.0.unpack
                Source: d3HccaLUT7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: wextract.pdb source: d3HccaLUT7.exe, d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                Source: Binary string: Healer.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: ge821663.exe.0.dr
                Source: Binary string: wextract.pdbGCTL source: d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
                Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, bus9402.exe, 00000004.00000000.310959531.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, bus9402.exe.3.dr
                Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000000.344903620.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1332.exe.3.dr
                Source: Binary string: _.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
                Source: Binary string: C:\sigizecem\xigago\tukonunoz_givizadi\yodawusafix\11\j.pdb source: d3HccaLUT7.exe
                Source: Binary string: Healer.pdbH5 source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00402390
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_00302390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00302390
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00FC2390
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_00B82390

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 31.41.244.200/games/category/index.php
                Source: Malware configuration extractorURLs: 193.233.20.30:4125
                Source: kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, en675431.exe.1.drString found in binary or memory: https://api.ip.sb/ip

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 6.2.con1332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.con1332.exe.2c20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 1.3.kino0095.exe.5160220.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.3.con1332.exe.2c50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 1.3.kino0095.exe.5160220.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.392398994.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: d3HccaLUT7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 6.2.con1332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.con1332.exe.2c20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 1.3.kino0095.exe.5160220.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.3.con1332.exe.2c50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 1.3.kino0095.exe.5160220.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.392398994.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00401F90
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_00301F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00301F90
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00FC1F90
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,3_2_00B81F90
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00403BA20_2_00403BA2
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00405C9E0_2_00405C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_00303BA21_2_00303BA2
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_00305C9E1_2_00305C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC3BA22_2_00FC3BA2
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC5C9E2_2_00FC5C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B83BA23_2_00B83BA2
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B85C9E3_2_00B85C9E
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00408C606_2_00408C60
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0040DC116_2_0040DC11
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00407C3F6_2_00407C3F
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00418CCC6_2_00418CCC
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00406CA06_2_00406CA0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004028B06_2_004028B0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0041A4BE6_2_0041A4BE
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004182446_2_00418244
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004016506_2_00401650
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00402F206_2_00402F20
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004193C46_2_004193C4
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004187886_2_00418788
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00402F896_2_00402F89
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00402B906_2_00402B90
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004073A06_2_004073A0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_07010DB06_2_07010DB0
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: String function: 0040E1D8 appears 44 times
                Source: kino0095.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 712052 bytes, 2 files, at 0x2c +A "kino2456.exe" +A "en675431.exe", ID 1903, number 1, 28 datablocks, 0x1503 compression
                Source: kino2456.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 566384 bytes, 2 files, at 0x2c +A "kino0588.exe" +A "dvL76s65.exe", ID 2007, number 1, 24 datablocks, 0x1503 compression
                Source: kino0588.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 206926 bytes, 2 files, at 0x2c +A "bus9402.exe" +A "con1332.exe", ID 1794, number 1, 11 datablocks, 0x1503 compression
                Source: d3HccaLUT7.exeBinary or memory string: OriginalFilename vs d3HccaLUT7.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
                Source: d3HccaLUT7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: dvL76s65.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: con1332.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: d3HccaLUT7.exeVirustotal: Detection: 46%
                Source: d3HccaLUT7.exeReversingLabs: Detection: 41%
                Source: d3HccaLUT7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\d3HccaLUT7.exe C:\Users\user\Desktop\d3HccaLUT7.exe
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeJump to behavior
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00401F90
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_00301F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00301F90
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00FC1F90
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,3_2_00B81F90
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus9402.exe.logJump to behavior
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                Source: classification engineClassification label: mal93.troj.spyw.evad.winEXE@15/10@0/0
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0040597D
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0040597D
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeCode function: 4_2_00007FF814661B10 ChangeServiceConfigA,4_2_00007FF814661B10
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_067B07C6 CreateToolhelp32Snapshot,Module32First,0_2_067B07C6
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_00404FE0
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCommand line argument: Kernel32.dll0_2_00402BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCommand line argument: Kernel32.dll1_2_00302BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCommand line argument: Kernel32.dll2_2_00FC2BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCommand line argument: Kernel32.dll3_2_00B82BFB
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCommand line argument: 08A6_2_00413780
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeAutomated click: OK
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeAutomated click: OK
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeAutomated click: OK
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: d3HccaLUT7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: d3HccaLUT7.exeStatic file information: File size 1228288 > 1048576
                Source: d3HccaLUT7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106a00
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: d3HccaLUT7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wextract.pdb source: d3HccaLUT7.exe, d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                Source: Binary string: Healer.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: ge821663.exe.0.dr
                Source: Binary string: wextract.pdbGCTL source: d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
                Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, bus9402.exe, 00000004.00000000.310959531.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, bus9402.exe.3.dr
                Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000000.344903620.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1332.exe.3.dr
                Source: Binary string: _.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
                Source: Binary string: C:\sigizecem\xigago\tukonunoz_givizadi\yodawusafix\11\j.pdb source: d3HccaLUT7.exe
                Source: Binary string: Healer.pdbH5 source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeUnpacked PE file: 0.2.d3HccaLUT7.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeUnpacked PE file: 6.2.con1332.exe.400000.0.unpack
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeUnpacked PE file: 0.2.d3HccaLUT7.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R;
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeUnpacked PE file: 6.2.con1332.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_0040724D push ecx; ret 0_2_00407260
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_067B5623 pushfd ; ret 0_2_067B5624
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_067B1F0B push FFFFFF8Bh; ret 0_2_067B1F0D
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_067B38D3 push cs; ret 0_2_067B38D4
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_067B1E94 pushad ; retf 0_2_067B1E95
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_0030724D push ecx; ret 1_2_00307260
                Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00FC724D push ecx; ret 2_2_00FC7260
                Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00B8724D push ecx; ret 3_2_00B87260
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0040E21D push ecx; ret 6_2_0040E230
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_07011B4D push ss; iretd 6_2_07011B4F
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_07014139 push edi; iretd 6_2_0701414E
                Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 6_2_0701454E push ecx; retf 6_2_07014554
                Source: C:\Users\user\Desktop\d3HccaLUT7.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00402F1D
                Source: en675431.exe.1.drStatic PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UT