Windows Analysis Report
aeICl0Aabv.exe

Overview

General Information

Sample Name: aeICl0Aabv.exe
Original Sample Name: 0192d35c916b3a26132cef7dd09dbabe.exe
Analysis ID: 831157
MD5: 0192d35c916b3a26132cef7dd09dbabe
SHA1: 9480935bca8e7c22c379e894633ad59acae0c871
SHA256: 06736e8c8a3dafb02d3ce28f9917f7e79e37b6a0d998c375b91d7029ef356da5
Tags: exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: aeICl0Aabv.exe ReversingLabs: Detection: 61%
Source: aeICl0Aabv.exe Virustotal: Detection: 57% Perma Link
Antivirus / Scanner detection for submitted sample
Source: aeICl0Aabv.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: 62.204.41.87/joomla/index.php Virustotal: Detection: 13% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe Virustotal: Detection: 85% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Virustotal: Detection: 60% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe Virustotal: Detection: 78% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Virustotal: Detection: 55% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe Virustotal: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: aeICl0Aabv.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe Joe Sandbox ML: detected
Source: 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"}
Source: 0.3.aeICl0Aabv.exe.4710420.0.raw.unpack Malware Configuration Extractor: Amadey {"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00052F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00052F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 1_2_012E2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 2_2_00DE2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A12F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 3_2_00A12F1D

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Unpacked PE file: 6.2.v7930id.exe.400000.0.unpack
Uses 32bit PE files
Source: aeICl0Aabv.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: aeICl0Aabv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: aeICl0Aabv.exe, 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp, y89Te35.exe.0.dr
Source: Binary string: Healer.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: zap8476.exe, 00000003.00000003.249771343.0000000004F25000.00000004.00000020.00020000.00000000.sdmp, tz5602.exe, 00000004.00000000.250008201.0000000000AD2000.00000002.00000001.01000000.00000007.sdmp, tz5602.exe.3.dr
Source: Binary string: _.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.306929707.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000003.284197043.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Healer.pdbH5 source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00052390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00052390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_012E2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00DE2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A12390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 3_2_00A12390

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 62.204.41.87/joomla/index.php
Source: Malware configuration extractor URLs: 193.233.20.30:4125
Source: zap9052.exe, 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp, xJuGE71.exe.1.dr String found in binary or memory: https://api.ip.sb/ip

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.306894968.00000000006A6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Uses 32bit PE files
Source: aeICl0Aabv.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.306894968.00000000006A6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00051F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00051F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_012E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00DE1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A11F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 3_2_00A11F90
Detected potential crypto function
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00053BA2 0_2_00053BA2
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00055C9E 0_2_00055C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E3BA2 1_2_012E3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E5C9E 1_2_012E5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE3BA2 2_2_00DE3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE5C9E 2_2_00DE5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A13BA2 3_2_00A13BA2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A15C9E 3_2_00A15C9E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00408C60 6_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0040DC11 6_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00407C3F 6_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00418CCC 6_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00406CA0 6_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004028B0 6_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0041A4BE 6_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00418244 6_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00401650 6_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00402F20 6_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004193C4 6_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00418788 6_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00402F89 6_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00402B90 6_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004073A0 6_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F786D 6_2_004F786D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F18B7 6_2_004F18B7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_005089EF 6_2_005089EF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F31F0 6_2_004F31F0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F3187 6_2_004F3187
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F2B17 6_2_004F2B17
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_005084AB 6_2_005084AB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F2DF7 6_2_004F2DF7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004FDE78 6_2_004FDE78
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F8EC7 6_2_004F8EC7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F7EA6 6_2_004F7EA6
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F6F07 6_2_004F6F07
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00508F33 6_2_00508F33
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0050A725 6_2_0050A725
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F77D9 6_2_004F77D9
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_020E0DA7 6_2_020E0DA7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_020E0DB0 6_2_020E0DB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: String function: 004FE43F appears 44 times
PE file contains executable resources (Code or Archives)
Source: aeICl0Aabv.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 828054 bytes, 2 files, at 0x2c +A "zap9052.exe" +A "y89Te35.exe", ID 1798, number 1, 32 datablocks, 0x1503 compression
Source: zap9052.exe.0.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 648832 bytes, 2 files, at 0x2c +A "zap9953.exe" +A "xJuGE71.exe", ID 1840, number 1, 26 datablocks, 0x1503 compression
Source: zap9953.exe.1.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 503084 bytes, 2 files, at 0x2c +A "zap8476.exe" +A "w77lD51.exe", ID 1791, number 1, 19 datablocks, 0x1503 compression
Source: zap8476.exe.2.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 174559 bytes, 2 files, at 0x2c +A "tz5602.exe" +A "v7930id.exe", ID 1713, number 1, 8 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: aeICl0Aabv.exe, 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs aeICl0Aabv.exe
Source: aeICl0Aabv.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs aeICl0Aabv.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe 42873B0C5899F64B5F3205A4F3146210CC63152E529C69D6292B037844C81EC4
Source: aeICl0Aabv.exe ReversingLabs: Detection: 61%
Source: aeICl0Aabv.exe Virustotal: Detection: 57%
Source: aeICl0Aabv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\aeICl0Aabv.exe C:\Users\user\Desktop\aeICl0Aabv.exe
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Jump to behavior
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00051F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00051F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_012E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00DE1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A11F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 3_2_00A11F90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tz5602.exe.log Jump to behavior
Source: C:\Users\user\Desktop\aeICl0Aabv.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/10@0/0
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_0005597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_0005597D
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_0005597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_0005597D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Code function: 4_2_00007FFBACF31B10 ChangeServiceConfigA, 4_2_00007FFBACF31B10
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00054FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, 0_2_00054FE0
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Command line argument: Kernel32.dll 0_2_00052BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Command line argument: Kernel32.dll 1_2_012E2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Command line argument: Kernel32.dll 2_2_00DE2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Command line argument: Kernel32.dll 3_2_00A12BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Command line argument: 08A 6_2_00413780
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: aeICl0Aabv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: aeICl0Aabv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: aeICl0Aabv.exe, 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp, y89Te35.exe.0.dr
Source: Binary string: Healer.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: zap8476.exe, 00000003.00000003.249771343.0000000004F25000.00000004.00000020.00020000.00000000.sdmp, tz5602.exe, 00000004.00000000.250008201.0000000000AD2000.00000002.00000001.01000000.00000007.sdmp, tz5602.exe.3.dr
Source: Binary string: _.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.306929707.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000003.284197043.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Healer.pdbH5 source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Unpacked PE file: 6.2.v7930id.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Unpacked PE file: 6.2.v7930id.exe.400000.0.unpack .text:ER;.data:W;.nakulor:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_0005724D push ecx; ret 0_2_00057260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E724D push ecx; ret 1_2_012E7260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE724D push ecx; ret 2_2_00DE7260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A1724D push ecx; ret 3_2_00A17260
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00423149 push eax; ret 6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004231C8 push eax; ret 6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0040E21D push ecx; ret 6_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0050C125 push ebx; ret 6_2_0050C126
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004FE484 push ecx; ret 6_2_004FE497
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0050BE73 push cs; iretd 6_2_0050BF49
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0050BF75 push cs; iretd 6_2_0050BF49
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_020E4139 push edi; iretd 6_2_020E414E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_020E454E push ecx; retf 6_2_020E4554
PE file contains sections with non-standard names
Source: w77lD51.exe.2.dr Static PE information: section name: .vazaweh
Source: v7930id.exe.3.dr Static PE information: section name: .nakulor
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00052F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00052F1D
Binary contains a suspicious time stamp
Source: xJuGE71.exe.1.dr Static PE information: 0xCBA9AC16 [Mon Apr 11 09:21:26 2078 UTC]
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Jump to dropped file
Source: C:\Users\user\Desktop\aeICl0Aabv.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Jump to dropped file
Source: C:\Users\user\Desktop\aeICl0Aabv.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Jump to dropped file
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00051AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00051AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 1_2_012E1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 2_2_00DE1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A11AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 3_2_00A11AE8
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe TID: 5364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe TID: 1964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe Jump to dropped file
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00055467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00055467
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00052390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00052390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_012E2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00DE2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A12390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 3_2_00A12390
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00052F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00052F1D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0040ADB0 GetProcessHeap,HeapFree, 6_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F092B mov eax, dword ptr fs:[00000030h] 6_2_004F092B
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004F0D90 mov eax, dword ptr fs:[00000030h] 6_2_004F0D90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00056F40 SetUnhandledExceptionFilter, 0_2_00056F40
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00056CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00056CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E6F40 SetUnhandledExceptionFilter, 1_2_012E6F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe Code function: 1_2_012E6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_012E6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE6F40 SetUnhandledExceptionFilter, 2_2_00DE6F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe Code function: 2_2_00DE6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00DE6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A16F40 SetUnhandledExceptionFilter, 3_2_00A16F40
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe Code function: 3_2_00A16CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00A16CF0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004123F1 SetUnhandledExceptionFilter, 6_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004FD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_004FD070
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_004FE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_004FE883
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_005071D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_005071D1
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: 6_2_00502658 SetUnhandledExceptionFilter, 6_2_00502658
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_000518A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_000518A3
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: GetLocaleInfoA, 6_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Code function: GetLocaleInfoA, 6_2_00507C87
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00057155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00057155
Source: C:\Users\user\Desktop\aeICl0Aabv.exe Code function: 0_2_00052BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00052BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Code function: 4_2_00007FFBACF3077D GetUserNameA, 4_2_00007FFBACF3077D

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 Jump to behavior
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.3.aeICl0Aabv.exe.4710420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.aeICl0Aabv.exe.4710420.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831157 Sample: aeICl0Aabv.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 8 other signatures 2->57 9 aeICl0Aabv.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 2 other processes 2->16 process3 file4 43 C:\Users\user\AppData\Local\...\zap9052.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\y89Te35.exe, PE32 9->45 dropped 18 zap9052.exe 1 4 9->18         started        process5 file6 35 C:\Users\user\AppData\Local\...\zap9953.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Local\...\xJuGE71.exe, PE32 18->37 dropped 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Machine Learning detection for dropped file 18->63 22 zap9953.exe 1 4 18->22         started        signatures7 process8 file9 39 C:\Users\user\AppData\Local\...\zap8476.exe, PE32 22->39 dropped 41 C:\Users\user\AppData\Local\...\w77lD51.exe, PE32 22->41 dropped 65 Multi AV Scanner detection for dropped file 22->65 67 Machine Learning detection for dropped file 22->67 26 zap8476.exe 1 4 22->26         started        signatures10 process11 file12 47 C:\Users\user\AppData\Local\...\v7930id.exe, PE32 26->47 dropped 49 C:\Users\user\AppData\Local\...\tz5602.exe, PE32 26->49 dropped 69 Multi AV Scanner detection for dropped file 26->69 71 Machine Learning detection for dropped file 26->71 30 v7930id.exe 1 1 26->30         started        33 tz5602.exe 9 1 26->33         started        signatures13 process14 signatures15 73 Multi AV Scanner detection for dropped file 30->73 75 Detected unpacking (changes PE section rights) 30->75 77 Detected unpacking (overwrites its own PE header) 30->77 79 Machine Learning detection for dropped file 33->79 81 Disable Windows Defender notifications (registry) 33->81 83 Disable Windows Defender real time protection (registry) 33->83
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
62.204.41.87/joomla/index.php true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
193.233.20.30:4125 true
  • URL Reputation: safe
 unknown