Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp |
Malware Configuration Extractor: Njrat {"Host": "0.tcp.sa.ngrok.io", "Port": "13065", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"} |
Source: xbOnlYALvtUq.exe |
ReversingLabs: Detection: 92% |
Source: xbOnlYALvtUq.exe |
Virustotal: Detection: 87% |
Perma Link |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: xbOnlYALvtUq.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4405941872.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xbOnlYALvtUq.exe PID: 3472, type: MEMORYSTR |
Source: 0.tcp.sa.ngrok.io |
Avira URL Cloud: Label: malware |
Source: 0.tcp.sa.ngrok.io |
Virustotal: Detection: 14% |
Perma Link |
Source: 0.tcp.sa.ngrok.io |
Virustotal: Detection: 14% |
Perma Link |
Source: xbOnlYALvtUq.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll |
Jump to behavior |
Source: xbOnlYALvtUq.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2019214 ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2814858 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inv) 18.228.115.60:13065 -> 192.168.2.5:49704 |
Source: Traffic |
Snort IDS: 2022059 ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Get Passwords) 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2022060 ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Desktop) 192.168.2.5:49713 -> 18.228.115.60:13065 |
Source: Traffic |
Snort IDS: 2022061 ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop) 192.168.2.5:49713 -> 18.228.115.60:13065 |
Source: global traffic |
TCP traffic: 18.228.115.60 ports 13065,0,1,3,5,6 |
Source: Malware configuration extractor |
URLs: 0.tcp.sa.ngrok.io |
Source: Joe Sandbox View |
ASN Name: AMAZON-02US AMAZON-02US |
Source: Joe Sandbox View |
IP Address: 18.228.115.60 18.228.115.60 |
Source: global traffic |
TCP traffic: 192.168.2.5:49704 -> 18.228.115.60:13065 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
DNS traffic detected: queries for: 0.tcp.sa.ngrok.io |
Source: xbOnlYALvtUq.exe, kl.cs |
.Net Code: VKCodeToUnicode |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: xbOnlYALvtUq.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4405941872.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xbOnlYALvtUq.exe PID: 3472, type: MEMORYSTR |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: xbOnlYALvtUq.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: xbOnlYALvtUq.exe, type: SAMPLE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_011C7920 |
0_2_011C7920 |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_011C8B90 |
0_2_011C8B90 |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_011C22D8 |
0_2_011C22D8 |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_011C791C |
0_2_011C791C |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_01098FD1 |
0_2_01098FD1 |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process Stats: CPU usage > 49% |
Source: xbOnlYALvtUq.exe, 00000000.00000002.4405417692.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamemscorwks.dllT vs xbOnlYALvtUq.exe |
Source: xbOnlYALvtUq.exe |
ReversingLabs: Detection: 92% |
Source: xbOnlYALvtUq.exe |
Virustotal: Detection: 87% |
Source: xbOnlYALvtUq.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\xbOnlYALvtUq.exe C:\Users\user\Desktop\xbOnlYALvtUq.exe |
|
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xbOnlYALvtUq.exe" "xbOnlYALvtUq.exe" ENABLE |
|
Source: C:\Windows\SysWOW64\netsh.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xbOnlYALvtUq.exe" "xbOnlYALvtUq.exe" ENABLE |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_01212662 AdjustTokenPrivileges, |
0_2_01212662 |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_0121262B AdjustTokenPrivileges, |
0_2_0121262B |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@4/1@2/1 |
Source: xbOnlYALvtUq.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79% |
|
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Mutant created: \Sessions\1\BaseNamedObjects\5bfe00b9b88f2456727afb4cd20491af |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03 |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, fPaOXJiiKVeLw8kPTa.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, fPaOXJiiKVeLw8kPTa.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll |
Jump to behavior |
Source: xbOnlYALvtUq.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: xbOnlYALvtUq.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: xbOnlYALvtUq.exe, OK.cs |
.Net Code: Plugin System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, fPaOXJiiKVeLw8kPTa.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Code function: 0_2_011C443D push eax; iretd |
0_2_011C4444 |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, capture.cs |
High entropy of concatenated method names: 'BitBlt', 'lMmSjMGSG', 'r4vAhlCDO', 'rLK7KVLPF', 'RG8kvPtuW', 'SelectObject', 'LDy5AiAHV', 'peQ6NFdwP', 'i870d4mLF', 'screensize' |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, A.cs |
High entropy of concatenated method names: 'Sendb', 'Send', 'SB', 'BS', 'Start', 'RC', 'ind', 'fr', 'ud', 'getMD5Hash' |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, fPaOXJiiKVeLw8kPTa.cs |
High entropy of concatenated method names: 'zwiiLX9ZN29PA0lRZhE', 'W4fqvV9vOhCEmTPJrwY', 'qUfZLGCmVt', 'YuWN4m9LqcurZx6C2si', 'NUwGRm9Xp1e0kVGDAse', 'h261hO9qb8KmDrsQG9I', 'xHkcKn9s05tWG287mXG', 'JuQvGA9lSxh4MSDycel', 'puUjOq9tvOfYsW207rP', 'TU4Hh39wFa8O2YhyM91' |
Source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, jxhafrZjpCnscQ6PYZH.cs |
High entropy of concatenated method names: 'xhYyy6R6G2', 'YoY2KV9gtFRFqEmkcHj', 'ugIhOv9u1peaZBlitnG', 'rX1Uk09PEXP823MlLdt', 'IuaoxE9fZjBDhCXswg0', 'IC3nh19BApjS7BbAltq' |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\5bfe00b9b88f2456727afb4cd20491af 3fc6b884fbc29ec00482827c26669b2b |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe TID: 5900 |
Thread sleep time: -105000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Window / User API: threadDelayed 3729 |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Window / User API: threadDelayed 1876 |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Window / User API: threadDelayed 1943 |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Window / User API: foregroundWindowGot 1767 |
Jump to behavior |
Source: xbOnlYALvtUq.exe, 00000000.00000002.4405417692.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.2036777517.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000003.2036238088.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: xbOnlYALvtUq.exe, kl.cs |
Reference to suspicious API methods: MapVirtualKey(a, 0u) |
Source: xbOnlYALvtUq.exe, kl.cs |
Reference to suspicious API methods: GetAsyncKeyState(num2) |
Source: xbOnlYALvtUq.exe, OK.cs |
Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100) |
Source: xbOnlYALvtUq.exe, 00000000.00000002.4405941872.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: xbOnlYALvtUq.exe, 00000000.00000002.4405941872.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@9 |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xbOnlYALvtUq.exe" "xbOnlYALvtUq.exe" ENABLE |
Source: C:\Users\user\Desktop\xbOnlYALvtUq.exe |
Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xbOnlYALvtUq.exe" "xbOnlYALvtUq.exe" ENABLE |
Source: Yara match |
File source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.xbOnlYALvtUq.exe.59b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4407298809.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: xbOnlYALvtUq.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4405941872.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xbOnlYALvtUq.exe PID: 3472, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.xbOnlYALvtUq.exe.59b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.xbOnlYALvtUq.exe.59b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4407298809.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: xbOnlYALvtUq.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.xbOnlYALvtUq.exe.7a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1962163495.00000000007A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4405941872.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xbOnlYALvtUq.exe PID: 3472, type: MEMORYSTR |