Windows Analysis Report
4Fau7Mt9J9.exe

Overview

General Information

Sample Name: 4Fau7Mt9J9.exe
Original Sample Name: 82cf051811579ee4f1d9978af52f12db.exe
Analysis ID: 1287245
MD5: 82cf051811579ee4f1d9978af52f12db
SHA1: 34122975ea9238001cb644955a1474f4d33f9e7b
SHA256: 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb
Tags: 32exetrojan
Infos:

Detection

SystemBC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected SystemBC
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Writes to foreign memory regions
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops files with a non-matching file extension (content does not match file extension)
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
SystemBC SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

AV Detection
barindex
Found malware configuration
Source: 2.2.cmd.exe.2da00c8.5.raw.unpack Malware Configuration Extractor: SystemBC {"HOST1": "ar.undata.cc", "HOST2": "ar1.undata.cc", "PORT1": "5320"}
Multi AV Scanner detection for submitted file
Source: 4Fau7Mt9J9.exe ReversingLabs: Detection: 13%
Source: 4Fau7Mt9J9.exe Virustotal: Detection: 21% Perma Link
Antivirus detection for URL or domain
Source: ar1.undata.cc Avira URL Cloud: Label: malware
Source: ar.undata.cc Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: ar.undata.cc Virustotal: Detection: 13% Perma Link
Source: ar1.undata.cc Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm Virustotal: Detection: 59% Perma Link
Source: C:\Users\user\AppData\Local\Temp\plfnqcwhvig Virustotal: Detection: 59% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\plfnqcwhvig Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm Joe Sandbox ML: detected
Uses 32bit PE files
Source: 4Fau7Mt9J9.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe File opened: C:\Users\user\AppData\Roaming\activeds\MSVCR71.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.26.9.237:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.165.183.85:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 146.75.52.193:443 -> 192.168.2.3:49706 version: TLS 1.2
Source: 4Fau7Mt9J9.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ar.undata.cc
Source: Malware configuration extractor URLs: ar1.undata.cc
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 18.165.183.85 18.165.183.85
Source: Joe Sandbox View IP Address: 146.75.52.193 146.75.52.193
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown DNS traffic detected: queries for: doi.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: CCHost: doi.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: CCHost: www.doi.org
Source: global traffic HTTP traffic detected: GET /EsiwNZ8.png HTTP/1.1Connection: Keep-AliveUser-Agent: CCHost: i.imgur.com
Source: unknown HTTPS traffic detected: 104.26.9.237:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.165.183.85:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 146.75.52.193:443 -> 192.168.2.3:49706 version: TLS 1.2
Uses 32bit PE files
Source: 4Fau7Mt9J9.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_00411988 1_2_00411988
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_00411988 7_2_00411988
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005A76F0 7_2_005A76F0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005AB7D0 7_2_005AB7D0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005CBD33 7_2_005CBD33
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: String function: 00594BB0 appears 62 times
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: String function: 00598B60 appears 146 times
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: String function: 005C160A appears 36 times
Searches for the Microsoft Outlook file path
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Section loaded: muiutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Section loaded: muicorelib.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Section loaded: muiutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Section loaded: muicorelib.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: 4Fau7Mt9J9.exe Static PE information: invalid certificate
Source: 4Fau7Mt9J9.exe ReversingLabs: Detection: 13%
Source: 4Fau7Mt9J9.exe Virustotal: Detection: 21%
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File read: C:\Users\user\Desktop\4Fau7Mt9J9.exe Jump to behavior
Source: 4Fau7Mt9J9.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4Fau7Mt9J9.exe C:\Users\user\Desktop\4Fau7Mt9J9.exe
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe Process created: C:\Users\user\AppData\Roaming\activeds\ICQ.exe C:\Users\user\AppData\Roaming\activeds\ICQ.exe
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\activeds\ICQ.exe "C:\Users\user\AppData\Roaming\activeds\ICQ.exe"
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe Process created: C:\Users\user\AppData\Roaming\activeds\ICQ.exe C:\Users\user\AppData\Roaming\activeds\ICQ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: enycywk.2.dr LNK file: ..\..\Roaming\activeds\ICQ.exe
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\OOHASBCEYFIYSAZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe File created: C:\Users\user\AppData\Local\Temp\9aa8f90b Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/18@3/3
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_00591D00 CoCreateInstance, 7_2_00591D00
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1112:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_00401270 LoadResource,LockResource,SizeofResource, 1_2_00401270
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4Fau7Mt9J9.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe File opened: C:\Users\user\AppData\Roaming\activeds\MSVCR71.dll Jump to behavior
Source: 4Fau7Mt9J9.exe Static file information: File size 2473672 > 1048576
Source: 4Fau7Mt9J9.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b6c00
Source: 4Fau7Mt9J9.exe Static PE information: More than 200 imports for USER32.dll
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 4Fau7Mt9J9.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 4Fau7Mt9J9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4Fau7Mt9J9.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4Fau7Mt9J9.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4Fau7Mt9J9.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4Fau7Mt9J9.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4Fau7Mt9J9.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_004102B3 push ecx; ret 1_2_004102C3
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_004102B3 push ecx; ret 7_2_004102C3
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005C6060 push eax; ret 7_2_005C6074
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005C6060 push eax; ret 7_2_005C609C
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005C6333 push ecx; ret 7_2_005C6343
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005B06F0 push ecx; mov dword ptr [esp], 00000000h 7_2_005B0706
PE file contains sections with non-standard names
Source: bmnfbnpmvm.2.dr Static PE information: section name: scrg
Source: plfnqcwhvig.8.dr Static PE information: section name: scrg
PE file contains an invalid checksum
Source: MDb.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x3c6e7
Source: MKernel.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x378e2
Source: MUtils.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x9af8d
Source: MUICoreLib.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xcfca3
Source: MUIUtils.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x64326
Source: 4Fau7Mt9J9.exe Static PE information: real checksum: 0x268eb5 should be: 0x260730
Source: plfnqcwhvig.8.dr Static PE information: real checksum: 0x0 should be: 0x12523
Source: coolcore49.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xc28c3
Source: xprt6.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x40588
Source: bmnfbnpmvm.2.dr Static PE information: real checksum: 0x0 should be: 0x12523
Source: MCoreLib.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1acde
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\plfnqcwhvig Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\MUtils.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\MKernel.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\msvcp71.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\MDb.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\MUIUtils.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\coolcore49.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\MCoreLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\MUICoreLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\xprt6.dll Jump to dropped file
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe File created: C:\Users\user\AppData\Roaming\activeds\msvcr71.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\plfnqcwhvig Jump to dropped file
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_0040C417 ??1TBstr@XPRT@@QAE@XZ,GetPrivateProfileStringW,??0TBstr@XPRT@@QAE@PBG@Z,?GetString@TBstr@XPRT@@QBEPBGXZ,??0TBstr@XPRT@@QAE@PBG@Z,?Find@TBstr@XPRT@@QBEHGH@Z,?TrimLeft@TBstr@XPRT@@QAEAAV12@XZ,?TrimRight@TBstr@XPRT@@QAEAAV12@XZ,?GetAt@TBstr@XPRT@@QBEGH@Z,??1TBstr@XPRT@@QAE@XZ,??0TBstr@XPRT@@QAE@XZ,??0TBstr@XPRT@@QAE@PBG@Z,??1TBstr@XPRT@@QAE@XZ,??0TBstr@XPRT@@QAE@GH@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,??1TBstr@XPRT@@QAE@XZ,??1TBstr@XPRT@@QAE@XZ,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,?Find@TBstr@XPRT@@QBEHGH@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,?DirSpecFromFullSpec@TFile@XPRT@@SA?AVTBstr@2@PBG@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,?GetString@TBstr@XPRT@@QBEPBGXZ,?GetString@TBstr@XPRT@@QBEPBGXZ,?GetString@TBstr@XPRT@@QBEPBGXZ,?AppendFileNameToSpec@TFile@XPRT@@SA?AVTBstr@2@PBG0@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,??1TBstr@XPRT@@QAE@XZ,?Empty@TBstr@XPRT@@QAEXXZ,GetPrivateProfileStringW,?Assign@TBstr@XPRT@@QAEAAV12@PBG@Z, 1_2_0040C417
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_0040C417 ??1TBstr@XPRT@@QAE@XZ,GetPrivateProfileStringW,??0TBstr@XPRT@@QAE@PBG@Z,?GetString@TBstr@XPRT@@QBEPBGXZ,??0TBstr@XPRT@@QAE@PBG@Z,?Find@TBstr@XPRT@@QBEHGH@Z,?TrimLeft@TBstr@XPRT@@QAEAAV12@XZ,?TrimRight@TBstr@XPRT@@QAEAAV12@XZ,?GetAt@TBstr@XPRT@@QBEGH@Z,??1TBstr@XPRT@@QAE@XZ,??0TBstr@XPRT@@QAE@XZ,??0TBstr@XPRT@@QAE@PBG@Z,??1TBstr@XPRT@@QAE@XZ,??0TBstr@XPRT@@QAE@GH@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,??1TBstr@XPRT@@QAE@XZ,??1TBstr@XPRT@@QAE@XZ,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,?Find@TBstr@XPRT@@QBEHGH@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,?DirSpecFromFullSpec@TFile@XPRT@@SA?AVTBstr@2@PBG@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,?GetString@TBstr@XPRT@@QBEPBGXZ,?GetString@TBstr@XPRT@@QBEPBGXZ,?GetString@TBstr@XPRT@@QBEPBGXZ,?AppendFileNameToSpec@TFile@XPRT@@SA?AVTBstr@2@PBG0@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,??1TBstr@XPRT@@QAE@XZ,?Empty@TBstr@XPRT@@QAEXXZ,GetPrivateProfileStringW,?Assign@TBstr@XPRT@@QAEAAV12@PBG@Z, 7_2_0040C417

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BMNFBNPMVM
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PLFNQCWHVIG
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe TID: 7024 Thread sleep time: -60000s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\plfnqcwhvig Jump to dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Memory allocated: 29F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Memory allocated: 2A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_0040A29C ?GetString@TBstr@XPRT@@QBEPBGXZ,VariantInit,?Assign@TBstr@XPRT@@QAEAAV12@PBG@Z,setlocale,xprt_strlcpy,setlocale,_snwprintf,?Assign@TBstr@XPRT@@QAEAAV12@PBG@Z,setlocale,_XprtMemFree@4,_XprtGetSystemInfo@0,_XprtGetSystemInfo@0,_XprtGetSystemInfo@0,_XprtGetSystemInfo@0,??0TBstr@XPRT@@QAE@PBDPBG@Z,?Assign@TBstr@XPRT@@QAEAAV12@ABV12@@Z,??1TBstr@XPRT@@QAE@XZ,VariantTimeToSystemTime,setlocale,xprt_strlcpy,setlocale,wcsftime,?Assign@TBstr@XPRT@@QAEAAV12@PBG@Z,setlocale,??0TBstr@XPRT@@QAE@PBDPBG@Z,?GetString@TBstr@XPRT@@QBEPBGXZ,?Assign@TBstr@XPRT@@QAEAAV12@PBG@Z,??1TBstr@XPRT@@QAE@XZ,VariantClear, 1_2_0040A29C
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_00401810 GetProcessHeap,HeapFree, 1_2_00401810

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 1CF380 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2C10000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 1CF380 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 3230000 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 2224 base: 1CF380 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 2224 base: 2C10000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 3212 base: 1CF380 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 3212 base: 3230000 value: 00 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4Fau7Mt9J9.exe Process created: C:\Users\user\AppData\Roaming\activeds\ICQ.exe C:\Users\user\AppData\Roaming\activeds\ICQ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_004021F0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 7_2_004021F0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 7_2_005910A0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_00410422 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_00410422
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 1_2_00409030 GetVersion,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress, 1_2_00409030

Stealing of Sensitive Information
barindex
Yara detected SystemBC
Source: Yara match File source: 2.2.cmd.exe.2da00c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cmd.exe.28600c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.484378047.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.428400752.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.556408741.0000000002C11000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.550133555.0000000003231000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\plfnqcwhvig, type: DROPPED

Remote Access Functionality
barindex
Yara detected SystemBC
Source: Yara match File source: 2.2.cmd.exe.2da00c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cmd.exe.28600c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.484378047.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.428400752.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.556408741.0000000002C11000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.550133555.0000000003231000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bmnfbnpmvm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\plfnqcwhvig, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005A54F0 ?attachTargetSnapshot@MCBox@MNBoxely@@QAE_NVMCSnapshot@2@@Z,_CxxThrowException,?get_elementSourceBox@MCDataBinding@MNBoxely@@QAE?AVMCBox@2@XZ,_CxxThrowException, 7_2_005A54F0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005A55D0 ?get_elementSourceBox@MCDataBinding@MNBoxely@@QAE?AVMCBox@2@XZ, 7_2_005A55D0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005A56B0 ?put_elementSourceBox@MCDataBinding@MNBoxely@@QAEXABVMCBox@2@@Z,_CxxThrowException, 7_2_005A56B0
Source: C:\Users\user\AppData\Roaming\activeds\ICQ.exe Code function: 7_2_005ADE20 ?CreateBinding@MNBoxelyUtils@@YAJAAVMCBox@MNBoxely@@0ABV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@1_N11@Z,?put_elementSourceBox@MCDataBinding@MNBoxely@@QAEXABVMCBox@2@@Z, 7_2_005ADE20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287245 Sample: 4Fau7Mt9J9.exe Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 8 4Fau7Mt9J9.exe 16 2->8         started        12 ICQ.exe 1 2->12         started        process3 dnsIp4 45 ipv4.imgur.map.fastly.net 146.75.52.193, 443, 49706 SCCGOVUS Sweden 8->45 47 dvjbn4sg4p1ck.cloudfront.net 18.165.183.85, 443, 49705 MIT-GATEWAYSUS United States 8->47 49 3 other IPs or domains 8->49 37 C:\Users\user\AppData\Roaming\...\xprt6.dll, PE32 8->37 dropped 39 C:\Users\user\AppData\...\coolcore49.dll, PE32 8->39 dropped 41 C:\Users\user\AppData\Roaming\...\MUtils.dll, PE32 8->41 dropped 43 8 other files (6 malicious) 8->43 dropped 15 ICQ.exe 1 8->15         started        65 Maps a DLL or memory area into another process 12->65 18 cmd.exe 2 12->18         started        file5 signatures6 process7 file8 67 Maps a DLL or memory area into another process 15->67 21 cmd.exe 4 15->21         started        33 C:\Users\user\AppData\Local\...\plfnqcwhvig, PE32 18->33 dropped 69 Injects code into the Windows Explorer (explorer.exe) 18->69 71 Writes to foreign memory regions 18->71 25 conhost.exe 18->25         started        27 explorer.exe 18->27         started        signatures9 process10 file11 35 C:\Users\user\AppData\Local\Temp\bmnfbnpmvm, PE32 21->35 dropped 59 Injects code into the Windows Explorer (explorer.exe) 21->59 61 Writes to foreign memory regions 21->61 63 Found hidden mapped module (file has been removed from disk) 21->63 29 conhost.exe 21->29         started        31 explorer.exe 21->31         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
18.165.183.85
 dvjbn4sg4p1ck.cloudfront.net United States
3 MIT-GATEWAYSUS false
104.26.9.237
 doi.org United States
13335 CLOUDFLARENETUS false
146.75.52.193
 ipv4.imgur.map.fastly.net Sweden
30051 SCCGOVUS false

Contacted Domains

Name IP Active
doi.org 104.26.9.237 true
dvjbn4sg4p1ck.cloudfront.net 18.165.183.85 true
ipv4.imgur.map.fastly.net 146.75.52.193 true
www.doi.org unknown unknown
i.imgur.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://i.imgur.com/EsiwNZ8.png false
    		high
    https://doi.org/ false
      		high
      https://www.doi.org/ false
        		high
        ar.undata.cc true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: malware
        		 unknown
        ar1.undata.cc true
        • 12%, Virustotal, Browse
        • Avira URL Cloud: malware
        		 unknown