Windows Analysis Report
1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe

Overview

General Information

Sample name: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Analysis ID: 1433876
MD5: 5703edb174766786773f4b565b3ccf85
SHA1: c4e1aa7bf7d5bd0f6c19e8c00d2b32cca143ac19
SHA256: 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
Tags: base64-decodedexe
Infos:

Detection

StormKitty, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected BrowserPasswordDump
Yara detected StormKitty Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Avira: detected
Antivirus detection for URL or domain
Source: 91.92.242.85 Avira URL Cloud: Label: malware
Found malware configuration
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Malware Configuration Extractor: Xworm {"C2 url": ["91.92.242.85"], "Port": "3344", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for domain / URL
Source: 91.92.242.85 Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe ReversingLabs: Detection: 76%
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Virustotal: Detection: 66% Perma Link
Machine Learning detection for sample
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe String decryptor: 91.92.242.85
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe String decryptor: 3344
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe String decryptor: <123456789>
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe String decryptor: <Xwormmm>
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe String decryptor: XWorm V5.6
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe String decryptor: USB.exe
Uses 32bit PE files
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2853192 ETPRO TROJAN Win32/XWorm V3 CnC Command - sendPlugin Outbound 192.168.2.5:49705 -> 91.92.242.85:3344
Source: Traffic Snort IDS: 2853191 ETPRO TROJAN Win32/XWorm V3 CnC Command - savePlugin Inbound 91.92.242.85:3344 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2852873 ETPRO TROJAN Win32/XWorm CnC PING Command Outbound M2 192.168.2.5:49706 -> 91.92.242.85:3344
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.5:49706 -> 91.92.242.85:3344
Source: Traffic Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 91.92.242.85:3344 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 91.92.242.85:3344 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49705 -> 91.92.242.85:3344
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.5:49705 -> 91.92.242.85:3344
Source: Traffic Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49705 -> 91.92.242.85:3344
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 91.92.242.85
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 91.92.242.85:3344
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.92.242.85 91.92.242.85
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.85
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp, 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_see
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_seeaCould
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp141D.tmp.dat.0.dr, tmp9EE9.tmp.dat.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3257323958.00000000128F8000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3257323958.00000000128F8000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3257323958.00000000128F8000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp896E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.3a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3255984514.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000000.00000000.1986182234.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F26B22 0_2_00007FF848F26B22
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F2A6A8 0_2_00007FF848F2A6A8
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F29562 0_2_00007FF848F29562
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F25D76 0_2_00007FF848F25D76
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F2AF3A 0_2_00007FF848F2AF3A
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F22A48 0_2_00007FF848F22A48
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F31267 0_2_00007FF848F31267
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F23A6D 0_2_00007FF848F23A6D
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F328FA 0_2_00007FF848F328FA
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F2D130 0_2_00007FF848F2D130
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F329D3 0_2_00007FF848F329D3
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F25879 0_2_00007FF848F25879
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F41060 0_2_00007FF848F41060
Sample file is different than original file name gathered from version info
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3255984514.0000000002560000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameOptions.dll0 vs 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRecovery.dll2 vs 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000000.1986182234.00000000003A2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Binary or memory string: OriginalFilenameXClient.exe4 vs 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Uses 32bit PE files
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.3a0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.3255984514.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000000.00000000.1986182234.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.raw.unpack, Botkiller.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.2560000.1.raw.unpack, Botkiller.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/12@0/1
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Mutant created: NULL
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Mutant created: \Sessions\1\BaseNamedObjects\JxfYmBE6u9bELdp4
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File created: C:\Users\user\AppData\Local\Temp\tmp9EE9.tmp Jump to behavior
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmp9F09.tmp.dat.0.dr, tmp742F.tmp.dat.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe ReversingLabs: Detection: 76%
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Virustotal: Detection: 66%
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, Messages.cs .Net Code: Memory
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F30405 push ebx; retf 0_2_00007FF848F3042A
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F3842E pushad ; ret 0_2_00007FF848F3845D
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F3845E push eax; ret 0_2_00007FF848F3846D
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F27563 push ebx; iretd 0_2_00007FF848F2756A
Stores large binary data to the registry
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\E0E9EDAC3F171A9E5946 5C34AEE5196E0F8615B8D1D9017DD710EA28D2B7AC99295D46046D12EEA58D78 Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Memory allocated: BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Memory allocated: 1A750000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F368D3 rdtsc 0_2_00007FF848F368D3
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Window / User API: threadDelayed 8190 Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Window / User API: threadDelayed 1675 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe TID: 6480 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe TID: 1200 Thread sleep count: 8190 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe TID: 1200 Thread sleep count: 1675 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, 00000000.00000002.3255537641.0000000000841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: tmp741D.tmp.dat.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tmp741D.tmp.dat.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp741D.tmp.dat.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp741D.tmp.dat.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: tmp741D.tmp.dat.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp741D.tmp.dat.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp741D.tmp.dat.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp741D.tmp.dat.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp741D.tmp.dat.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp741D.tmp.dat.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp741D.tmp.dat.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp741D.tmp.dat.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp741D.tmp.dat.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp741D.tmp.dat.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp741D.tmp.dat.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Code function: 0_2_00007FF848F368D3 rdtsc 0_2_00007FF848F368D3
Enables debug privileges
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Queries volume information: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected BrowserPasswordDump
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR
Yara detected StormKitty Stealer
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1986182234.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected BrowserPasswordDump
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR
Yara detected StormKitty Stealer
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.1c070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3258964469.000000001C070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1986182234.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3256072800.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe PID: 4508, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433876 Sample: 1714456685abe8dacd9647979ca... Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 11 Snort IDS alert for network traffic 2->11 13 Multi AV Scanner detection for domain / URL 2->13 15 Found malware configuration 2->15 17 12 other signatures 2->17 5 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe 2 25 2->5         started        process3 dnsIp4 9 91.92.242.85, 3344, 49705, 49706 THEZONEBG Bulgaria 5->9 19 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 5->19 21 Tries to harvest and steal browser information (history, passwords, etc) 5->21 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.92.242.85
 unknown Bulgaria
34368 THEZONEBG true

Contacted URLs

Name Malicious Antivirus Detection Reputation
91.92.242.85 true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown