Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SzznpUhIjo.exe

Overview

General Information

Sample Name:SzznpUhIjo.exe
Original Sample Name:f62fe8447c5e9b9ea5ac424543ad20b3.exe
Analysis ID:829685
MD5:f62fe8447c5e9b9ea5ac424543ad20b3
SHA1:847f52f9fff9b080e44de6738b61141b289cd09c
SHA256:d7f0a894956299f235cc735af3469746f223b3394abc85660e89872503e55982
Tags:exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • SzznpUhIjo.exe (PID: 6092 cmdline: C:\Users\user\Desktop\SzznpUhIjo.exe MD5: F62FE8447C5E9B9EA5AC424543AD20B3)
    • kino5628.exe (PID: 6084 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe MD5: 51B7FE413501DC9DD84CF1FCBB4C4BA2)
      • kino6423.exe (PID: 6028 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe MD5: DB27DCB2B593E449358CEC94D3D257DA)
        • kino4801.exe (PID: 6116 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe MD5: 211103CF935C81941C9A7C527A99891E)
          • bus7600.exe (PID: 4084 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)
          • con1165.exe (PID: 5392 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe MD5: 3930494C030BFEF77C7C0624C1F6BAEB)
  • rundll32.exe (PID: 680 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 2432 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 1504 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 2460 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1a434:$pat14: , CommandLine:
    • 0x134a7:$v2_1: ListOfProcesses
    • 0x13286:$v4_3: base64str
    • 0x13dff:$v4_4: stringKey
    • 0x11b63:$v4_5: BytesToStringConverted
    • 0x10d76:$v4_6: FromBase64
    • 0x12098:$v4_8: procName
    • 0x12811:$v5_5: FileScanning
    • 0x11d6c:$v5_7: RecordHeaderField
    • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
    C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.con1165.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              9.2.con1165.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                9.2.con1165.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                • 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                • 0x1fdd0:$s5: delete[]
                • 0x1f288:$s6: constructor or from DllMain.
                9.2.con1165.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                • 0x1e9d0:$s5: delete[]
                • 0x1de88:$s6: constructor or from DllMain.
                9.2.con1165.exe.2da0e67.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 9 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SzznpUhIjo.exeReversingLabs: Detection: 43%
                  Source: SzznpUhIjo.exeVirustotal: Detection: 49%Perma Link
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exeReversingLabs: Detection: 63%
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exeVirustotal: Detection: 79%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeVirustotal: Detection: 65%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exeReversingLabs: Detection: 87%
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exeVirustotal: Detection: 79%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeReversingLabs: Detection: 64%
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exeReversingLabs: Detection: 43%
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeReversingLabs: Detection: 59%
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exeReversingLabs: Detection: 88%
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeReversingLabs: Detection: 66%
                  Machine Learning detection for sample
                  Source: SzznpUhIjo.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exeJoe Sandbox ML: detected
                  Source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}
                  Source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpackMalware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00402F1D
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_008E2F1D
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E52F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,2_2_00E52F1D
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,3_2_010D2F1D

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeUnpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeUnpacked PE file: 9.2.con1165.exe.400000.0.unpack
                  Source: SzznpUhIjo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
                  Source: Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
                  Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr
                  Source: Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
                  Source: Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
                  Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr
                  Source: Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
                  Source: Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe
                  Source: Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00402390
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_008E2390
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00E52390
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_010D2390

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 31.41.244.200/games/category/index.php
                  Source: Malware configuration extractorURLs: 193.233.20.30:4125
                  Source: kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, en239906.exe.1.drString found in binary or memory: https://api.ip.sb/ip
                  Source: con1165.exe, 00000009.00000002.316630593.0000000002E0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: SzznpUhIjo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00401F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_008E1F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00E51F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,3_2_010D1F90
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00403BA20_2_00403BA2
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00405C9E0_2_00405C9E
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E3BA21_2_008E3BA2
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E5C9E1_2_008E5C9E
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E53BA22_2_00E53BA2
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E55C9E2_2_00E55C9E
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D3BA23_2_010D3BA2
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D5C9E3_2_010D5C9E
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00408C609_2_00408C60
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_0040DC119_2_0040DC11
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00407C3F9_2_00407C3F
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00418CCC9_2_00418CCC
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00406CA09_2_00406CA0
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004028B09_2_004028B0
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_0041A4BE9_2_0041A4BE
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004182449_2_00418244
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004016509_2_00401650
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00402F209_2_00402F20
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004193C49_2_004193C4
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004187889_2_00418788
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00402F899_2_00402F89
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00402B909_2_00402B90
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004073A09_2_004073A0
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA2B179_2_02DA2B17
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA18B79_2_02DA18B7
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA786D9_2_02DA786D
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA31F09_2_02DA31F0
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DB89EF9_2_02DB89EF
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA31879_2_02DA3187
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA8EC79_2_02DA8EC7
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA7EA69_2_02DA7EA6
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DADE789_2_02DADE78
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA77D99_2_02DA77D9
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA6F079_2_02DA6F07
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DB8F339_2_02DB8F33
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DBA7259_2_02DBA725
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DB84AB9_2_02DB84AB
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DA2DF79_2_02DA2DF7
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: String function: 02DAE43F appears 44 times
                  Source: kino5628.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 724274 bytes, 2 files, at 0x2c +A "kino6423.exe" +A "en239906.exe", ID 1904, number 1, 28 datablocks, 0x1503 compression
                  Source: kino6423.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 578750 bytes, 2 files, at 0x2c +A "kino4801.exe" +A "dNT35s70.exe", ID 1958, number 1, 25 datablocks, 0x1503 compression
                  Source: kino4801.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205326 bytes, 2 files, at 0x2c +A "bus7600.exe" +A "con1165.exe", ID 1796, number 1, 11 datablocks, 0x1503 compression
                  Source: kino4801.exe.2.drStatic PE information: Resource name: RT_RCDATA type: 370 sysV pure executable not stripped
                  Source: SzznpUhIjo.exeBinary or memory string: OriginalFilename vs SzznpUhIjo.exe
                  Source: SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SzznpUhIjo.exe
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
                  Source: SzznpUhIjo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: dNT35s70.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: con1165.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SzznpUhIjo.exeReversingLabs: Detection: 43%
                  Source: SzznpUhIjo.exeVirustotal: Detection: 49%
                  Source: SzznpUhIjo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SzznpUhIjo.exe C:\Users\user\Desktop\SzznpUhIjo.exe
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeJump to behavior
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00401F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_008E1F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00E51F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,3_2_010D1F90
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus7600.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                  Source: classification engineClassification label: mal93.troj.spyw.evad.winEXE@15/10@0/0
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0040597D
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0040597D
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exeCode function: 4_2_00007FFBACD21B10 ChangeServiceConfigA,4_2_00007FFBACD21B10
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_068807C6 CreateToolhelp32Snapshot,Module32First,0_2_068807C6
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_00404FE0
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCommand line argument: Kernel32.dll0_2_00402BFB
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCommand line argument: Kernel32.dll1_2_008E2BFB
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCommand line argument: Kernel32.dll2_2_00E52BFB
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCommand line argument: Kernel32.dll3_2_010D2BFB
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCommand line argument: 08A9_2_00413780
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeAutomated click: OK
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeAutomated click: OK
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: SzznpUhIjo.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: SzznpUhIjo.exeStatic file information: File size 1238528 > 1048576
                  Source: SzznpUhIjo.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109200
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: SzznpUhIjo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
                  Source: Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
                  Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr
                  Source: Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
                  Source: Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
                  Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr
                  Source: Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
                  Source: Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe
                  Source: Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeUnpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeUnpacked PE file: 9.2.con1165.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeUnpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeUnpacked PE file: 9.2.con1165.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_0040724D push ecx; ret 0_2_00407260
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_06881E94 pushad ; retf 0_2_06881E95
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_068838D3 push cs; ret 0_2_068838D4
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_06881F0B push FFFFFF8Bh; ret 0_2_06881F0D
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_06885624 pushfd ; ret 0_2_06885625
                  Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exeCode function: 1_2_008E724D push ecx; ret 1_2_008E7260
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeCode function: 2_2_00E5724D push ecx; ret 2_2_00E57260
                  Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exeCode function: 3_2_010D724D push ecx; ret 3_2_010D7260
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_0041C40C push cs; iretd 9_2_0041C4E2
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_00423149 push eax; ret 9_2_00423179
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_0041C50E push cs; iretd 9_2_0041C4E2
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_004231C8 push eax; ret 9_2_00423179
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_0040E21D push ecx; ret 9_2_0040E230
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_0041C6BE push ebx; ret 9_2_0041C6BF
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DBC125 push ebx; ret 9_2_02DBC126
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DBBE73 push cs; iretd 9_2_02DBBF49
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DBBF75 push cs; iretd 9_2_02DBBF49
                  Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exeCode function: 9_2_02DAE484 push ecx; ret 9_2_02DAE497
                  Source: C:\Users\user\Desktop\SzznpUhIjo.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00402F1D
                  Source: en239906.exe.1.drStatic PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UTC]
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.985785026742163
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.769697619291595
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.747055941352255
                  Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exeFile created: C:\Users\user\AppData\Local\Te