Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882706
MD5:	06c4b26e4b35eefdd3ba47c2a6316f0a
SHA1:	d3af04c23a9b80252445f713a1071f2cf72e6092
SHA256:	663f49a7b12d9ef01a0c3c98892d7c9a204cae1afc7bf134da02510b61195bb5
Tags:	NETexeMSIL
Infos:

Detection

BlackGuard

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Yara detected BlackGuard

Multi AV Scanner detection for submitted file

.NET source code contains very large array initializations

Yara detected Costura Assembly Loader

Machine Learning detection for sample

.NET source code contains potential unpacker

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Checks if the current process is being debugged

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackGuard	According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.	No Attribution	https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/ https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer https://cyberint.com/blog/research/blackguard-stealer/ https://ke-la.com/information-stealers-a-new-landscape/ https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.1377cb40.1.raw.unpack

Malware Configuration Extractor: BlackGuard {"C2 url": "http://94.142.138.111"}

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

.NET source code contains very large array initializations

Source: file.exe, VK/Program.cs

Large array initialization: GlobaLeess: array initializer size 3484704

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.424893653.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamePython ConsoleB vs file.exe

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5788

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 3491840 > 1048576

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x353c00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: file.exe, VK/Program.cs	.Net Code: Ehti System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: file.exe, VK/Program.cs	.Net Code: Ehti

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.1377cb40.1.raw.unpack

Malware Configuration Extractor: BlackGuard {"C2 url": "http://94.142.138.111"}

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

.NET source code contains very large array initializations

Source: file.exe, VK/Program.cs

Large array initialization: GlobaLeess: array initializer size 3484704

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.424893653.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamePython ConsoleB vs file.exe

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5788

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 3491840 > 1048576

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x353c00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: file.exe, VK/Program.cs	.Net Code: Ehti System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: file.exe, VK/Program.cs	.Net Code: Ehti

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected BlackGuard

Source: Yara match	File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	882706
Product:	CloudBasic
Start time:	17:17:12
Start date:	06.06.2023
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	06c4b26e4b35eefdd3ba47c2a6316f0a
SHA1:	d3af04c23a9b80252445f713a1071f2cf72e6092
SHA256:	663f49a7b12d9ef01a0c3c98892d7c9a204cae1afc7bf134da02510b61195bb5
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2db7612a235b1823c476f2f7c37c3d2280d4ef70_4149fb10_1ad28681\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	93EC89A81E2DF92893D8D4F2B16B5E2F	8412C3F18BCBA57967D6DB2A30DCA60F92C32020	FFC45F7F8B86036D9321303E253E5DF4BA1B61EE7CFC6668D792D5F7A5D5F840
C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Jun 7 00:18:22 2023, 0x1205a4 type	B3D2DC96933C323C76CEDE918B7DB5E7	E5B6AC51E7A5C00FCC63D9351FFF9A833292E764	EE195EB834F39E6AE58828BB602A28FB1E50E2D3E9788B8E4691D6EAA65706AF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C5.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	88867E95A9857C1DACADC643EF33C99D	831154B2AE0746FB03D86B45FAA6FE03C6E0875B	FDCC6283C0F7726BFBC5B46F94D957D7F39C75404D6D5DF0811D5291A3A74A08
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7462.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A88F3F3BDA45DB3B46194B0115F204D9	BDE0869D2186A79F7E2414D6F7B4A08E43C74909	D496D3BF6FA3343074FDDAEFBF723688880FD76B24FE1D9DE0F3F247F856E0FB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	D628E413B830AE8CC9868372D30FBAE5	0544324723837FE703B9428C884E748E58C2252E	33B9FFA1596F5D247AE4718D619319719E7D9526E9AB21A4C1860177EEA76445

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by