Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1447537
MD5: 0dd1f6c2b9bf477115701a1340d8d9a2
SHA1: 7b074f54130217609435efe3f45ba38d363dd381
SHA256: bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711
Tags: exe
Infos:

Detection

SystemBC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected SystemBC
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Performs DNS queries to domains with low reputation
Send many emails (e-Mail Spam)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
File is packed with WinRar
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
SystemBC SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

AV Detection
barindex
Antivirus detection for URL or domain
Source: cobusabobus.cam Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Avira: detection malicious, Label: TR/Coroxy.wzuqd
Source: C:\ProgramData\kgit\xcod.exe Avira: detection malicious, Label: TR/Coroxy.wzuqd
Found malware configuration
Source: 00000003.00000003.1623122977.00000000073E4000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: SystemBC {"HOST1": "cobusabobus.cam", "HOST2": "cobusabobus.cam", "PORT1": "4001", "DNS1": "5.132.191.104", "DNS2": "ns1.vic.au.dns.opennic.glue", "DNS3": "ns2.vic.au.dns.opennic.glue"}
Multi AV Scanner detection for domain / URL
Source: cobusabobus.cam Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\kgit\xcod.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe ReversingLabs: Detection: 95%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.1% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Joe Sandbox ML: detected
Source: C:\ProgramData\kgit\xcod.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_004022F3 VirtualAlloc,DecryptMessage, 4_2_004022F3
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_004021BE QueryContextAttributesA,VirtualAlloc,EncryptMessage, 4_2_004021BE
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe, work.exe.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CDBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00CDBA94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CED420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00CED420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003ABA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_003ABA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003BD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_003BD420

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031599 ET TROJAN Win32/SystemBC CnC Checkin 192.168.2.4:49730 -> 212.162.153.199:4001
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: cobusabobus.cam
Source: Malware configuration extractor URLs: cobusabobus.cam
Performs DNS queries to domains with low reputation
Source: DNS query: mail.wavesmail.xyz
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 68
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 26
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 212.162.153.199:4001
Source: global traffic TCP traffic: 192.168.2.4:55120 -> 185.208.164.126:587
Source: global traffic TCP traffic: 192.168.2.4:55121 -> 186.64.118.100:587
Source: global traffic TCP traffic: 192.168.2.4:55122 -> 212.10.10.65:587
Source: global traffic TCP traffic: 192.168.2.4:55123 -> 186.64.119.240:587
Source: global traffic TCP traffic: 192.168.2.4:55124 -> 160.13.60.151:587
Source: global traffic TCP traffic: 192.168.2.4:55125 -> 195.238.22.30:587
Source: global traffic TCP traffic: 192.168.2.4:55127 -> 129.159.110.135:587
Source: global traffic TCP traffic: 192.168.2.4:55128 -> 197.224.66.144:587
Source: global traffic TCP traffic: 192.168.2.4:55129 -> 84.2.43.67:587
Source: global traffic TCP traffic: 192.168.2.4:55130 -> 198.143.186.234:587
Source: global traffic TCP traffic: 192.168.2.4:55131 -> 103.211.216.137:587
Source: global traffic TCP traffic: 192.168.2.4:55133 -> 195.121.65.26:587
Source: global traffic TCP traffic: 192.168.2.4:55137 -> 62.149.128.202:587
Source: global traffic TCP traffic: 192.168.2.4:55138 -> 212.91.113.96:587
Source: global traffic TCP traffic: 192.168.2.4:55139 -> 23.81.68.43:587
Source: global traffic TCP traffic: 192.168.2.4:55142 -> 186.64.118.30:587
Source: global traffic TCP traffic: 192.168.2.4:55143 -> 103.63.215.102:587
Source: global traffic TCP traffic: 192.168.2.4:55147 -> 203.134.71.82:587
Source: global traffic TCP traffic: 192.168.2.4:55149 -> 13.250.88.201:587
Source: global traffic TCP traffic: 192.168.2.4:55150 -> 140.238.133.27:587
Source: global traffic TCP traffic: 192.168.2.4:55151 -> 15.204.207.249:587
Source: global traffic TCP traffic: 192.168.2.4:55156 -> 175.107.196.14:587
Source: global traffic TCP traffic: 192.168.2.4:55158 -> 209.67.129.55:587
Source: global traffic TCP traffic: 192.168.2.4:55161 -> 91.216.151.57:587
Source: global traffic TCP traffic: 192.168.2.4:55162 -> 202.125.94.90:587
Source: global traffic TCP traffic: 192.168.2.4:55166 -> 177.53.140.240:587
Source: global traffic TCP traffic: 192.168.2.4:55167 -> 38.111.141.32:587
Source: global traffic TCP traffic: 192.168.2.4:55174 -> 62.149.128.200:587
Source: global traffic TCP traffic: 192.168.2.4:55175 -> 20.6.97.20:587
Source: global traffic TCP traffic: 192.168.2.4:55177 -> 64.35.208.156:587
Source: global traffic TCP traffic: 192.168.2.4:55178 -> 200.195.199.10:587
Source: global traffic TCP traffic: 192.168.2.4:55183 -> 173.254.31.29:587
Source: global traffic TCP traffic: 192.168.2.4:55184 -> 185.204.219.204:587
Source: global traffic TCP traffic: 192.168.2.4:55185 -> 103.129.255.200:587
Source: global traffic TCP traffic: 192.168.2.4:55188 -> 195.181.248.170:587
Source: global traffic TCP traffic: 192.168.2.4:55190 -> 64.59.128.135:587
Source: global traffic TCP traffic: 192.168.2.4:55191 -> 217.27.32.193:587
Source: global traffic TCP traffic: 192.168.2.4:55197 -> 177.53.143.242:587
Source: global traffic TCP traffic: 192.168.2.4:55198 -> 34.213.176.2:587
Source: global traffic TCP traffic: 192.168.2.4:55200 -> 92.204.136.188:587
Source: global traffic TCP traffic: 192.168.2.4:55201 -> 52.63.237.70:587
Source: global traffic TCP traffic: 192.168.2.4:55204 -> 191.6.220.100:587
Source: global traffic TCP traffic: 192.168.2.4:55205 -> 94.169.2.51:587
Source: global traffic TCP traffic: 192.168.2.4:60614 -> 220.156.64.7:587
Source: global traffic TCP traffic: 192.168.2.4:60616 -> 37.120.193.124:587
Source: global traffic TCP traffic: 192.168.2.4:60617 -> 195.130.132.11:587
Source: global traffic TCP traffic: 192.168.2.4:60619 -> 154.0.161.25:587
Source: global traffic TCP traffic: 192.168.2.4:60620 -> 181.214.221.49:587
Source: global traffic TCP traffic: 192.168.2.4:60623 -> 81.19.149.85:587
Source: global traffic TCP traffic: 192.168.2.4:60625 -> 191.252.137.76:587
Source: global traffic TCP traffic: 192.168.2.4:60626 -> 212.10.10.66:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:55120 -> 185.208.164.126:587
Source: global traffic TCP traffic: 192.168.2.4:55121 -> 186.64.118.100:587
Source: global traffic TCP traffic: 192.168.2.4:55122 -> 212.10.10.65:587
Source: global traffic TCP traffic: 192.168.2.4:55123 -> 186.64.119.240:587
Source: global traffic TCP traffic: 192.168.2.4:55124 -> 160.13.60.151:587
Source: global traffic TCP traffic: 192.168.2.4:55125 -> 195.238.22.30:587
Source: global traffic TCP traffic: 192.168.2.4:55127 -> 129.159.110.135:587
Source: global traffic TCP traffic: 192.168.2.4:55128 -> 197.224.66.144:587
Source: global traffic TCP traffic: 192.168.2.4:55129 -> 84.2.43.67:587
Source: global traffic TCP traffic: 192.168.2.4:55130 -> 198.143.186.234:587
Source: global traffic TCP traffic: 192.168.2.4:55131 -> 103.211.216.137:587
Source: global traffic TCP traffic: 192.168.2.4:55133 -> 195.121.65.26:587
Source: global traffic TCP traffic: 192.168.2.4:55137 -> 62.149.128.202:587
Source: global traffic TCP traffic: 192.168.2.4:55138 -> 212.91.113.96:587
Source: global traffic TCP traffic: 192.168.2.4:55139 -> 23.81.68.43:587
Source: global traffic TCP traffic: 192.168.2.4:55142 -> 186.64.118.30:587
Source: global traffic TCP traffic: 192.168.2.4:55143 -> 103.63.215.102:587
Source: global traffic TCP traffic: 192.168.2.4:55147 -> 203.134.71.82:587
Source: global traffic TCP traffic: 192.168.2.4:55149 -> 13.250.88.201:587
Source: global traffic TCP traffic: 192.168.2.4:55150 -> 140.238.133.27:587
Source: global traffic TCP traffic: 192.168.2.4:55151 -> 15.204.207.249:587
Source: global traffic TCP traffic: 192.168.2.4:55156 -> 175.107.196.14:587
Source: global traffic TCP traffic: 192.168.2.4:55158 -> 209.67.129.55:587
Source: global traffic TCP traffic: 192.168.2.4:55161 -> 91.216.151.57:587
Source: global traffic TCP traffic: 192.168.2.4:55162 -> 202.125.94.90:587
Source: global traffic TCP traffic: 192.168.2.4:55166 -> 177.53.140.240:587
Source: global traffic TCP traffic: 192.168.2.4:55167 -> 38.111.141.32:587
Source: global traffic TCP traffic: 192.168.2.4:55174 -> 62.149.128.200:587
Source: global traffic TCP traffic: 192.168.2.4:55175 -> 20.6.97.20:587
Source: global traffic TCP traffic: 192.168.2.4:55177 -> 64.35.208.156:587
Source: global traffic TCP traffic: 192.168.2.4:55178 -> 200.195.199.10:587
Source: global traffic TCP traffic: 192.168.2.4:55183 -> 173.254.31.29:587
Source: global traffic TCP traffic: 192.168.2.4:55184 -> 185.204.219.204:587
Source: global traffic TCP traffic: 192.168.2.4:55185 -> 103.129.255.200:587
Source: global traffic TCP traffic: 192.168.2.4:55188 -> 195.181.248.170:587
Source: global traffic TCP traffic: 192.168.2.4:55190 -> 64.59.128.135:587
Source: global traffic TCP traffic: 192.168.2.4:55191 -> 217.27.32.193:587
Source: global traffic TCP traffic: 192.168.2.4:55197 -> 177.53.143.242:587
Source: global traffic TCP traffic: 192.168.2.4:55198 -> 34.213.176.2:587
Source: global traffic TCP traffic: 192.168.2.4:55200 -> 92.204.136.188:587
Source: global traffic TCP traffic: 192.168.2.4:55201 -> 52.63.237.70:587
Source: global traffic TCP traffic: 192.168.2.4:55204 -> 191.6.220.100:587
Source: global traffic TCP traffic: 192.168.2.4:55205 -> 94.169.2.51:587
Source: global traffic TCP traffic: 192.168.2.4:60614 -> 220.156.64.7:587
Source: global traffic TCP traffic: 192.168.2.4:60616 -> 37.120.193.124:587
Source: global traffic TCP traffic: 192.168.2.4:60617 -> 195.130.132.11:587
Source: global traffic TCP traffic: 192.168.2.4:60619 -> 154.0.161.25:587
Source: global traffic TCP traffic: 192.168.2.4:60620 -> 181.214.221.49:587
Source: global traffic TCP traffic: 192.168.2.4:60623 -> 81.19.149.85:587
Source: global traffic TCP traffic: 192.168.2.4:60625 -> 191.252.137.76:587
Source: global traffic TCP traffic: 192.168.2.4:60626 -> 212.10.10.66:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_004030A8 select,recv, 4_2_004030A8
Source: global traffic DNS traffic detected: DNS query: cobusabobus.cam
Source: global traffic DNS traffic detected: DNS query: zampub.rzeszow.pl
Source: global traffic DNS traffic detected: DNS query: topterrachile.cl
Source: global traffic DNS traffic detected: DNS query: smtp.stofanet.dk
Source: global traffic DNS traffic detected: DNS query: geproin.com
Source: global traffic DNS traffic detected: DNS query: smtp.ca.em-net.ne.jp
Source: global traffic DNS traffic detected: DNS query: smtp.skynet.be
Source: global traffic DNS traffic detected: DNS query: smtp.swtexas.net
Source: global traffic DNS traffic detected: DNS query: mailsecurity.myt.mu
Source: global traffic DNS traffic detected: DNS query: smtp.freemail.hu
Source: global traffic DNS traffic detected: DNS query: mail.uptopeople.com
Source: global traffic DNS traffic detected: DNS query: mail.khalafholding.com
Source: global traffic DNS traffic detected: DNS query: cocoonfertility.com
Source: global traffic DNS traffic detected: DNS query: smtp.hetnet.nl
Source: global traffic DNS traffic detected: DNS query: smtp.ad.em-net.ne.jp
Source: global traffic DNS traffic detected: DNS query: smtp.almarei.it
Source: global traffic DNS traffic detected: DNS query: mail.vip.hr
Source: global traffic DNS traffic detected: DNS query: smtp.stinger.net
Source: global traffic DNS traffic detected: DNS query: smtp.harconstruction.com
Source: global traffic DNS traffic detected: DNS query: mail.a1net.hr
Source: global traffic DNS traffic detected: DNS query: phongkhamdakhoahongphong.vn
Source: global traffic DNS traffic detected: DNS query: smtp.cefasming.com
Source: global traffic DNS traffic detected: DNS query: smtp.iprimus.com.au
Source: global traffic DNS traffic detected: DNS query: smtp.ck.em-net.ne.jp
Source: global traffic DNS traffic detected: DNS query: smtp.comstockland.com
Source: global traffic DNS traffic detected: DNS query: smtp.singnet.com.sg
Source: global traffic DNS traffic detected: DNS query: smtp.mymts.net
Source: global traffic DNS traffic detected: DNS query: concordecc.concord-ecc.com
Source: global traffic DNS traffic detected: DNS query: local-boss.com
Source: global traffic DNS traffic detected: DNS query: smtp.ah.em-net.ne.jp
Source: global traffic DNS traffic detected: DNS query: mail.salaamtakaful.com
Source: global traffic DNS traffic detected: DNS query: smtp.bex.net
Source: global traffic DNS traffic detected: DNS query: mail.cilm.net
Source: global traffic DNS traffic detected: DNS query: mail.uv.ro
Source: global traffic DNS traffic detected: DNS query: mail.staff.gunadarma.ac.id
Source: global traffic DNS traffic detected: DNS query: smtp.deboraland.com
Source: global traffic DNS traffic detected: DNS query: brindespremium.com.br
Source: global traffic DNS traffic detected: DNS query: smtp.legendsnorcal.com
Source: global traffic DNS traffic detected: DNS query: mail.atlanticbb.net
Source: global traffic DNS traffic detected: DNS query: mail.ciputra.co.id
Source: global traffic DNS traffic detected: DNS query: smtp.cubovacanze.it
Source: global traffic DNS traffic detected: DNS query: smtp.wamail.net
Source: global traffic DNS traffic detected: DNS query: smtp.onda.com.br
Source: global traffic DNS traffic detected: DNS query: smtp.taylor-ind.com
Source: global traffic DNS traffic detected: DNS query: heat-it.co.uk
Source: global traffic DNS traffic detected: DNS query: mail.xmbaofeng.com
Source: global traffic DNS traffic detected: DNS query: arcline.pl
Source: global traffic DNS traffic detected: DNS query: smtp.metalsoft.eu
Source: global traffic DNS traffic detected: DNS query: smtp.shaw.ca
Source: global traffic DNS traffic detected: DNS query: smtp.primehome.com
Source: global traffic DNS traffic detected: DNS query: smtp.gamafire.com.br
Source: global traffic DNS traffic detected: DNS query: smtp.mediacombb.net
Source: global traffic DNS traffic detected: DNS query: mail.meusemails.com.br
Source: global traffic DNS traffic detected: DNS query: smtp.tpg.com.au
Source: global traffic DNS traffic detected: DNS query: mx3.conline.co.za
Source: global traffic DNS traffic detected: DNS query: smtp.primustecnologia.com.br
Source: global traffic DNS traffic detected: DNS query: ma.medias.ne.jp
Source: global traffic DNS traffic detected: DNS query: mail.chello.sk
Source: global traffic DNS traffic detected: DNS query: smtp.tumminaro.com
Source: global traffic DNS traffic detected: DNS query: mail.horsefucker.org
Source: global traffic DNS traffic detected: DNS query: smtp.telenet.be
Source: global traffic DNS traffic detected: DNS query: genzcyber.net
Source: global traffic DNS traffic detected: DNS query: mail.wavesmail.xyz
Source: global traffic DNS traffic detected: DNS query: mail.cicek-gmbh.com
Source: global traffic DNS traffic detected: DNS query: alessandrocorreia.com.br
Source: global traffic DNS traffic detected: DNS query: smtp.bbsyd.dk
Source: global traffic DNS traffic detected: DNS query: smtp.eafea.org
Source: global traffic DNS traffic detected: DNS query: mail.technologyyours.com

Spam, unwanted Advertisements and Ransom Demands
barindex
Send many emails (e-Mail Spam)
Source: SMTP Network traffic detected: Mail traffic on many different IPs 50
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD7AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00CD7AAF
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe File created: C:\Windows\Tasks\xcod.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD92C6 0_2_00CD92C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE5011 0_2_00CE5011
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE02F7 0_2_00CE02F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE5282 0_2_00CE5282
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF62A8 0_2_00CF62A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE8253 0_2_00CE8253
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE13FD 0_2_00CE13FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF64D7 0_2_00CF64D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE742E 0_2_00CE742E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE55B0 0_2_00CE55B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE600 0_2_00CFE600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE07A7 0_2_00CE07A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE88AF 0_2_00CE88AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CDD833 0_2_00CDD833
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD395A 0_2_00CD395A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD4A8E 0_2_00CD4A8E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFEAAE 0_2_00CFEAAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D02BB4 0_2_00D02BB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CDFCCC 0_2_00CDFCCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE7DDC 0_2_00CE7DDC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD2EB6 0_2_00CD2EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003A92C6 3_2_003A92C6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B5011 3_2_003B5011
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B8253 3_2_003B8253
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C62A8 3_2_003C62A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B5282 3_2_003B5282
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B02F7 3_2_003B02F7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B13FD 3_2_003B13FD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B742E 3_2_003B742E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C64D7 3_2_003C64D7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B55B0 3_2_003B55B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003CE600 3_2_003CE600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B07A7 3_2_003B07A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003AD833 3_2_003AD833
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B88AF 3_2_003B88AF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003A395A 3_2_003A395A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003CEAAE 3_2_003CEAAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003A4A8E 3_2_003A4A8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003D2BB4 3_2_003D2BB4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003AFCCC 3_2_003AFCCC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003B7DDC 3_2_003B7DDC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003A2EB6 3_2_003A2EB6
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\kgit\xcod.exe CFB1FD0ADF528FCF14647CF3FCD85FB7E4FDDD2167B36F9E8B2424B62453DF28
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe CFB1FD0ADF528FCF14647CF3FCD85FB7E4FDDD2167B36F9E8B2424B62453DF28
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 003BFFD0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 003BFEFC appears 42 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 003C07A0 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00CEFFD0 appears 56 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00CF07A0 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00CEFEFC appears 42 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@10/5@75/53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD7727 GetLastError,FormatMessageW, 0_2_00CD7727
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_00401556 CreateToolhelp32Snapshot,Process32First, 4_2_00401556
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_00401141 CoInitialize,CoCreateInstance,GetUserNameW,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize, 4_2_00401141
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEB6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00CEB6D2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\ProgramData\kgit\xcod.exe Mutant created: \Sessions\1\BaseNamedObjects\xcod
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxname 0_2_00CEF05C
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxstime 0_2_00CEF05C
Source: C:\Users\user\Desktop\file.exe Command line argument: STARTDLG 0_2_00CEF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: sfxname 3_2_003BF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: sfxstime 3_2_003BF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: p0> 3_2_003BF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: STARTDLG 3_2_003BF05C
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe"
Source: unknown Process created: C:\ProgramData\kgit\xcod.exe C:\ProgramData\kgit\xcod.exe start2
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: secur32.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe, work.exe.0.dr
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5496031 Jump to behavior
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .didat
Source: work.exe.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF07F0 push ecx; ret 0_2_00CF0803
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF2D86 push es; iretd 0_2_00CF2D87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEFEFC push eax; ret 0_2_00CEFF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C07F0 push ecx; ret 3_2_003C0803
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003BFEFC push eax; ret 3_2_003BFF1A
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe File created: C:\ProgramData\kgit\xcod.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe File created: C:\ProgramData\kgit\xcod.exe Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe File created: C:\Windows\Tasks\xcod.job Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe RDTSC instruction interceptor: First address: 403843 second address: 403843 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov ebp, esp 0x00000005 push ebx 0x00000006 push ecx 0x00000007 push edx 0x00000008 push edi 0x00000009 push esi 0x0000000a imul eax, eax, 001E7319h 0x00000010 add eax, 3CFB5543h 0x00000015 rcr eax, 10h 0x00000018 add eax, ecx 0x0000001a test edx, edx 0x0000001c je 00007F490884C255h 0x0000001e imul eax, edx 0x00000021 xor edx, edx 0x00000023 mul dword ptr [ebp+08h] 0x00000026 mov eax, edx 0x00000028 pop esi 0x00000029 pop edi 0x0000002a pop edx 0x0000002b pop ecx 0x0000002c pop ebx 0x0000002d leave 0x0000002e retn 0004h 0x00000031 lea ebx, dword ptr [eax+04h] 0x00000034 push 00000018h 0x00000036 call 00007F490884EA1Eh 0x0000003b rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_00403843 rdtsc 4_2_00403843
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\file.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe TID: 7156 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe TID: 5912 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CDBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00CDBA94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CED420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00CED420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003ABA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_003ABA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003BD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_003BD420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEF82F VirtualQuery,GetSystemInfo, 0_2_00CEF82F
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\ProgramData\kgit\xcod.exe Thread delayed: delay time: 60000 Jump to behavior
Source: file.exe, 00000000.00000003.1622703014.0000000003412000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: work.exe, 00000003.00000003.1631691103.000000000320D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
Source: xcod.exe, 00000005.00000002.2872426086.000000000055E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_00403843 rdtsc 4_2_00403843
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CF0A0A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF91B0 mov eax, dword ptr fs:[00000030h] 0_2_00CF91B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C91B0 mov eax, dword ptr fs:[00000030h] 3_2_003C91B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_00401000 mov eax, dword ptr fs:[00000030h] 4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_004039F9 mov eax, dword ptr fs:[00000030h] 4_2_004039F9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFD1F0 GetProcessHeap, 0_2_00CFD1F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CF0A0A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF0B9D SetUnhandledExceptionFilter, 0_2_00CF0B9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CF0D8A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CF4FEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_003C0A0A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C0B9D SetUnhandledExceptionFilter, 3_2_003C0B9D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_003C0D8A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003C4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_003C4FEF
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEBEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree, 0_2_00CEBEFF
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF0826 cpuid 0_2_00CF0826
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00CEC093
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: GetLocaleInfoW,GetNumberFormatW, 3_2_003BC093
Queries the volume information (name, serial number etc) of a device
Source: C:\ProgramData\kgit\xcod.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEF05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00CEF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe Code function: 4_2_00401141 CoInitialize,CoCreateInstance,GetUserNameW,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize, 4_2_00401141
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CDC365 GetVersionExW, 0_2_00CDC365
AV process strings found (often used to terminate AV products)
Source: work.exe, 00000003.00000003.1623122977.00000000073E4000.00000004.00000020.00020000.00000000.sdmp, pogflaw.exe, pogflaw.exe, 00000004.00000000.1625426669.0000000000405000.00000008.00000001.01000000.0000000B.sdmp, pogflaw.exe, 00000004.00000002.1629837474.0000000000405000.00000004.00000001.01000000.0000000B.sdmp, xcod.exe, 00000005.00000000.1630417024.0000000000405000.00000008.00000001.01000000.0000000C.sdmp, xcod.exe, 00000005.00000002.2872134446.0000000000405000.00000004.00000001.01000000.0000000C.sdmp, pogflaw.exe.3.dr, xcod.exe.4.dr Binary or memory string: a2guard.exe

Stealing of Sensitive Information
barindex
Yara detected SystemBC
Source: Yara match File source: 5.2.xcod.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.pogflaw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.pogflaw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.xcod.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2872084484.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.1625351215.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1623122977.00000000073E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1629763597.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1630347398.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: work.exe PID: 7024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pogflaw.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xcod.exe PID: 5980, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\kgit\xcod.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected SystemBC
Source: Yara match File source: 5.2.xcod.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.pogflaw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.pogflaw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.xcod.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2872084484.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.1625351215.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1623122977.00000000073E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1629763597.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1630347398.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: work.exe PID: 7024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pogflaw.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xcod.exe PID: 5980, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\kgit\xcod.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447537 Sample: file.exe Startdate: 25/05/2024 Architecture: WINDOWS Score: 100 33 mail.wavesmail.xyz 2->33 35 cobusabobus.cam 2->35 37 102 other IPs or domains 2->37 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 53 5 other signatures 2->53 9 file.exe 14 2->9         started        12 xcod.exe 2->12         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 dnsIp5 31 C:\Users\user\AppData\Local\Temp\...\work.exe, PE32 9->31 dropped 16 cmd.exe 1 9->16         started        39 cobusabobus.cam 212.162.153.199, 4001, 49730 SAFESPRINGSE Moldova Republic of 12->39 41 mail.wavesmail.xyz 181.214.221.49, 587, 60620 ASDETUKhttpwwwheficedcomGB Chile 12->41 43 51 other IPs or domains 12->43 63 Antivirus detection for dropped file 12->63 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 file6 signatures7 process8 process9 18 work.exe 13 16->18         started        21 conhost.exe 16->21         started        file10 27 C:\Users\user\AppData\Local\...\pogflaw.exe, PE32 18->27 dropped 23 pogflaw.exe 3 18->23         started        process11 file12 29 C:\ProgramData\kgit\xcod.exe, PE32 23->29 dropped 55 Antivirus detection for dropped file 23->55 57 Multi AV Scanner detection for dropped file 23->57 59 Found evasive API chain (may stop execution after checking mutex) 23->59 61 3 other signatures 23->61 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.91.113.96
 mail.a1net.hr Croatia (LOCAL Name: Hrvatska)
12810 VIPNET-AS3GGSMandInternetServiceProviderHR false
91.216.151.57
 mail.uv.ro Romania
51099 BLUEPINK-ASBLUEPINKHOSTINGSRLRO false
203.134.71.82
 smtp-ip.gtm.oss-core.net Australia
9443 VOCUS-RETAIL-AUVocusRetailAU false
34.213.176.2
 mcc.smtp.a.cloudfilter.net United States
16509 AMAZON-02US false
191.252.137.76
 alessandrocorreia.com.br Brazil
27715 LocawebServicosdeInternetSABR false
195.238.22.30
 relay.glb.proximus.be Belgium
5432 PROXIMUS-ISP-ASBE false
92.204.136.188
 meusemails.com.br Germany
398108 GO-DADDY-COM-LLCUS false
191.6.220.100
 smtp-vip.uni5.net Brazil
28299 IPV6InternetLtdaBR false
195.121.65.26
 mailhost.hetnet.nl Netherlands
8737 PTNL false
212.162.153.199
 cobusabobus.cam Moldova Republic of
41001 SAFESPRINGSE true
129.159.110.135
 swtexas.net.av-mx.com United States
14506 ORCL-ASHBURN3US false
64.35.208.156
 wamail.ispn.net United States
10320 ISPNUS false
195.181.248.170
 mail-1.webhostingy.net Slovakia (SLOVAK Republic)
48689 WEBGLOBE-SK-ASSK false
186.64.118.100
 topterrachile.cl Chile
52368 ZAMLTDACL false
177.53.140.240
 brindespremium.com.br Brazil
53243 BrasilSiteInformaticaLTDABR false
103.211.216.137
 cocoonfertility.com Seychelles
394695 PUBLIC-DOMAIN-REGISTRYUS false
186.64.118.30
 smtp.cefasming.com Chile
52368 ZAMLTDACL false
212.10.10.66
 bbmail.stofanet.dk Denmark
197288 STOFANETDK false
212.10.10.65
 smtp.stofanet.dk Denmark
197288 STOFANETDK false
103.129.255.200
 hwhzssl.qiye.ntes53.netease.com Hong Kong
137263 NETEASE-AS-APNETEASEHONGKONGLIMITEDHK false
181.214.221.49
 mail.wavesmail.xyz Chile
61317 ASDETUKhttpwwwheficedcomGB true
200.195.199.10
 maya.onda.com.br Brazil
12140 LanisLtdaBR false
154.0.161.25
 genzcyber.net South Africa
37611 AfrihostZA false
13.250.88.201
 smtp.orchid.atmailcloud.com United States
16509 AMAZON-02US false
84.2.43.67
 smtp.freemail.hu Hungary
15545 MT-DC-ASEUHungaryHU false
38.111.141.32
 mail.atlanticbb.net United States
4897 ECHO-LABS-LLCUS false
173.254.31.29
 heat-it.co.uk United States
46606 UNIFIEDLAYER-AS-1US false
185.204.219.204
 arcline.pl Poland
41079 SUPERHOST-PL-ASPL false
81.19.149.85
 mail.cicek-gmbh.com Austria
38955 WORLD4YOUAT false
64.59.128.135
 shawmail.glb.shawcable.net Canada
6327 SHAWCA false
177.53.143.242
 smtp.gamafire.com.br Brazil
53243 BrasilSiteInformaticaLTDABR false
103.63.215.102
 phongkhamdakhoahongphong.vn Viet Nam
135920 EHOST-AS-VNEhostsoftwarecompanylimitedVN false
217.27.32.193
 mail.primehome.com Cyprus
16229 PRIMETELTelecommunicationsCompanyCY false
15.204.207.249
 concordecc.concord-ecc.com United States
71 HP-INTERNET-ASUS false
20.6.97.20
 mail.ciputra.co.id United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
140.238.133.27
 mail.mts.syn-alias.com United States
31898 ORACLE-BMC-31898US false
175.107.196.14
 mail.salaamtakaful.com Pakistan
9541 CYBERNET-APCyberInternetServicesPvtLtdPK false
197.224.66.144
 mailsecurity.myt.mu Mauritius
23889 MauritiusTelecomMU false
185.208.164.126
 zampub.rzeszow.pl Poland
41079 SUPERHOST-PL-ASPL false
195.130.132.11
 smtp.telenet.be Belgium
6848 TELENET-ASBE false
198.143.186.234
 khalafholding.com United States
32475 SINGLEHOP-LLCUS false
220.156.64.7
 ma.medias.ne.jp Japan 2497 IIJInternetInitiativeJapanIncJP false
209.67.129.55
 mail.buckeyecom.net United States
26254 568721-017489901135-1US false
192.185.116.205
 local-boss.com United States
46606 UNIFIEDLAYER-AS-1US false
37.120.193.124
 mail.cock.li Romania
9009 M247GB false
202.125.94.90
 mail.staff.gunadarma.ac.id Indonesia
46042 GUNADARMA-AS-IDGunadarmaUniversityID false
62.149.128.200
 smtp.cubovacanze.it Italy
31034 ARUBA-ASNIT false
62.149.128.202
 smtp.almarei.it Italy
31034 ARUBA-ASNIT false
94.169.2.51
 mail-chello-sk.cname.unified.services Netherlands
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
160.13.60.151
 tsunagu-smtp-v4.xspmail.jp Japan 2497 IIJInternetInitiativeJapanIncJP false
186.64.119.240
 geproin.com Chile
52368 ZAMLTDACL false
52.63.237.70
 sep-kakadu02.au-east.atmailcloud.com United States
16509 AMAZON-02US false
23.81.68.43
 http.netsol.xion.oxcs.net United States
396362 LEASEWEB-USA-NYC-11US false

Contacted Domains

Name IP Active
mail.salaamtakaful.com 175.107.196.14 true
heat-it.co.uk 173.254.31.29 true
zampub.rzeszow.pl 185.208.164.126 true
mail.cicek-gmbh.com 81.19.149.85 true
mail.buckeyecom.net 209.67.129.55 true
khalafholding.com 198.143.186.234 true
alessandrocorreia.com.br 191.252.137.76 true
maya.onda.com.br 200.195.199.10 true
smtp.almarei.it 62.149.128.202 true
smtp.orchid.atmailcloud.com 13.250.88.201 true
smtp.cubovacanze.it 62.149.128.200 true
topterrachile.cl 186.64.118.100 true
shawmail.glb.shawcable.net 64.59.128.135 true
mail-chello-sk.cname.unified.services 94.169.2.51 true
cobusabobus.cam 212.162.153.199 true
mail.technologyyours.com 207.174.215.249 true
smtp-ip.gtm.oss-core.net 203.134.71.82 true
smtp.telenet.be 195.130.132.11 true
smtp-vip.uni5.net 191.6.220.100 true
smtp.gamafire.com.br 177.53.143.242 true
smtp.freemail.hu 84.2.43.67 true
ma.medias.ne.jp 220.156.64.7 true
smtp.cefasming.com 186.64.118.30 true
smtp.stofanet.dk 212.10.10.65 true
phongkhamdakhoahongphong.vn 103.63.215.102 true
arcline.pl 185.204.219.204 true
mail.a1net.hr 212.91.113.96 true
mail.staff.gunadarma.ac.id 202.125.94.90 true
bbmail.stofanet.dk 212.10.10.66 true
mcc.smtp.a.cloudfilter.net 34.213.176.2 true
genzcyber.net 154.0.161.25 true
local-boss.com 192.185.116.205 true
swtexas.net.av-mx.com 129.159.110.135 true
concordecc.concord-ecc.com 15.204.207.249 true
mail.primehome.com 217.27.32.193 true
meusemails.com.br 92.204.136.188 true
cocoonfertility.com 103.211.216.137 true
mail.ciputra.co.id 20.6.97.20 true
geproin.com 186.64.119.240 true
mail.wavesmail.xyz 181.214.221.49 true
hwhzssl.qiye.ntes53.netease.com 103.129.255.200 true
mail-1.webhostingy.net 195.181.248.170 true
wamail.ispn.net 64.35.208.156 true
mail.uv.ro 91.216.151.57 true
mail.mts.syn-alias.com 140.238.133.27 true
http.netsol.xion.oxcs.net 23.81.68.43 true
mail.vip.hr 212.91.113.96 true
sep-kakadu02.au-east.atmailcloud.com 52.63.237.70 true
mail.atlanticbb.net 38.111.141.32 true
relay.glb.proximus.be 195.238.22.30 true
mailhost.hetnet.nl 195.121.65.26 true
brindespremium.com.br 177.53.140.240 true
mail.cock.li 37.120.193.124 true
tsunagu-smtp-v4.xspmail.jp 160.13.60.151 true
smtp.netsol.xion.oxcs.net 23.81.68.43 true
mailsecurity.myt.mu 197.224.66.144 true
smtp.metalsoft.eu unknown unknown
mail.meusemails.com.br unknown unknown
smtp.shaw.ca unknown unknown
smtp.swtexas.net unknown unknown
smtp.legendsnorcal.com unknown unknown
mail.xmbaofeng.com unknown unknown
smtp.primehome.com unknown unknown
smtp.iprimus.com.au unknown unknown
smtp.primustecnologia.com.br unknown unknown
smtp.tumminaro.com unknown unknown
smtp.tpg.com.au unknown unknown
smtp.ca.em-net.ne.jp unknown unknown
smtp.bex.net unknown unknown
mail.horsefucker.org unknown unknown
smtp.skynet.be unknown unknown
smtp.ck.em-net.ne.jp unknown unknown
mail.uptopeople.com unknown unknown
mail.chello.sk unknown unknown
smtp.mymts.net unknown unknown
smtp.stinger.net unknown unknown
smtp.eafea.org unknown unknown
smtp.mediacombb.net unknown unknown
smtp.harconstruction.com unknown unknown
smtp.onda.com.br unknown unknown
smtp.deboraland.com unknown unknown
smtp.wamail.net unknown unknown
smtp.ah.em-net.ne.jp unknown unknown
smtp.ad.em-net.ne.jp unknown unknown
mail.khalafholding.com unknown unknown
mx3.conline.co.za unknown unknown
smtp.singnet.com.sg unknown unknown
smtp.hetnet.nl unknown unknown
smtp.taylor-ind.com unknown unknown
smtp.bbsyd.dk unknown unknown
smtp.comstockland.com unknown unknown
mail.cilm.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
cobusabobus.cam true
  • Avira URL Cloud: malware
 unknown