Windows Analysis Report
uCLkYbZQoA.exe

Overview

General Information

Sample name: uCLkYbZQoA.exe
renamed because original name is a hash value
Original sample name: 36cba9f836266dd47c2629af72d7fa24.exe
Analysis ID: 1447638
MD5: 36cba9f836266dd47c2629af72d7fa24
SHA1: 277628e74f7f1dc7aa16412d5c476f62bab39e89
SHA256: 3ce9fcec1c68c11c4502acdd2c0f0e18c5b5593cb0dbe8ca2fd7ac42189617cc
Tags: exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://47.110.247.171/chdyz/chdyz.dll Avira URL Cloud: Label: malware
Source: http://47.110.247.171/chdyz/chdyz.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://47.110.247.171/chdyz/chdyz.7z.tmpSuper-EC Virustotal: Detection: 9% Perma Link
Source: http://47.110.247.171/chdyz/chdyz.7z Virustotal: Detection: 11% Perma Link
Source: http://47.110.247.171/login/verup.php Virustotal: Detection: 9% Perma Link
Source: http://47.110.247.171/login/login.php Virustotal: Detection: 9% Perma Link
Source: http://47.110.247.171/chdyz/chdyz.dll Virustotal: Detection: 14% Perma Link
Source: http://47.110.247.171/ Virustotal: Detection: 9% Perma Link
Source: http://47.110.247.171/chdyz/chdyz.exe Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: uCLkYbZQoA.exe ReversingLabs: Detection: 58%
Source: uCLkYbZQoA.exe Virustotal: Detection: 65% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 77.5% probability
Machine Learning detection for sample
Source: uCLkYbZQoA.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: uCLkYbZQoA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004234C0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 0_2_004234C0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0042B8A0 FindFirstFileA,FindClose, 0_2_0042B8A0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B60FD __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_004B60FD
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00419130 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 0_2_00419130
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 47.110.247.171 47.110.247.171
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /login/verup.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 26Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/login.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 12Host: 47.110.247.171
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00436A20 ioctlsocket,recvfrom, 0_2_00436A20
Source: unknown HTTP traffic detected: POST /login/verup.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 26Host: 47.110.247.171
Source: uCLkYbZQoA.exe, 00000000.00000003.1699111246.00000000005BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/chdyz/chdyz.7z
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/chdyz/chdyz.7z.tmpSuper-EC
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/chdyz/chdyz.dll
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/chdyz/chdyz.exe
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/login/login.php
Source: uCLkYbZQoA.exe, 00000000.00000003.1699111246.00000000005D3000.00000004.00000020.00020000.00000000.sdmp, uCLkYbZQoA.exe, 00000000.00000003.1699235413.00000000005D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/login.phpl_
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/login/verup.php
Source: uCLkYbZQoA.exe String found in binary or memory: http://47.110.247.171/login/verup.php0-1
Source: uCLkYbZQoA.exe, 00000000.00000003.1699111246.00000000005BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/wR
Source: uCLkYbZQoA.exe String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: uCLkYbZQoA.exe, 00000000.00000003.1699053207.0000000000600000.00000004.00000020.00020000.00000000.sdmp, uCLkYbZQoA.exe, 00000000.00000003.2300427638.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, uCLkYbZQoA.exe, 00000000.00000003.1699280374.0000000000601000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pan.baidu.com/s/1D28osmCWE-A_Oote3X5wsg?pwd=985d
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0043FAE0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0043FAE0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0043FAE0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0043FAE0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0043FC40 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_0043FC40
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004782B0 GetWindowRect,GetWindowDC,CreateCompatibleDC,SetBkMode,CreateCompatibleBitmap,SelectObject,BitBlt, 0_2_004782B0
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004BA7D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_004BA7D4
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0042BA50 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0042BA50
Detected potential crypto function
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00421760 0_2_00421760
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B7F51 0_2_004B7F51
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045E149 0_2_0045E149
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0042C110 0_2_0042C110
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00452120 0_2_00452120
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004481C0 0_2_004481C0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045024D 0_2_0045024D
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0044A2C0 0_2_0044A2C0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00460290 0_2_00460290
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045E606 0_2_0045E606
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0043A740 0_2_0043A740
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045A780 0_2_0045A780
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004507B2 0_2_004507B2
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0046E8E0 0_2_0046E8E0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045E8F1 0_2_0045E8F1
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0046A9D0 0_2_0046A9D0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00470A30 0_2_00470A30
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045EAA4 0_2_0045EAA4
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0046CBF0 0_2_0046CBF0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045ACC0 0_2_0045ACC0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00464D4E 0_2_00464D4E
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00450D10 0_2_00450D10
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045ED1E 0_2_0045ED1E
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00456DB0 0_2_00456DB0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0046EE60 0_2_0046EE60
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00424FC0 0_2_00424FC0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00464F9E 0_2_00464F9E
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004570C0 0_2_004570C0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045F150 0_2_0045F150
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004AD276 0_2_004AD276
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045D3F0 0_2_0045D3F0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0046B470 0_2_0046B470
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004574F0 0_2_004574F0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045F620 0_2_0045F620
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B163D 0_2_004B163D
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0044D7F0 0_2_0044D7F0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045F850 0_2_0045F850
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00423AD0 0_2_00423AD0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0044DB20 0_2_0044DB20
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045DC30 0_2_0045DC30
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0045BF70 0_2_0045BF70
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0042DF30 0_2_0042DF30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: String function: 004567F0 appears 73 times
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: String function: 00456570 appears 37 times
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: String function: 004563E0 appears 73 times
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: String function: 004A7C38 appears 70 times
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: String function: 004B7011 appears 44 times
Uses 32bit PE files
Source: uCLkYbZQoA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal72.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00470ED0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 0_2_00470ED0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0040F400 LoadTypeLib,GetUserDefaultLCID,LHashValOfNameSys,RegisterTypeLib,CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,CoCreateInstance,CoCreateInstance, 0_2_0040F400
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B6785 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 0_2_004B6785
Source: uCLkYbZQoA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: uCLkYbZQoA.exe ReversingLabs: Detection: 58%
Source: uCLkYbZQoA.exe Virustotal: Detection: 65%
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32 Jump to behavior
Source: uCLkYbZQoA.exe Static file information: File size 1056768 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00422D50 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_00422D50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004A5030 push eax; ret 0_2_004A505E
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004A7C38 push eax; ret 0_2_004A7C56
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00421760 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,KiUserCallbackDispatcher,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 0_2_00421760
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00426B30 DestroyIcon,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu, 0_2_00426B30
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0042AF20 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow, 0_2_0042AF20
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004A356F MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 0_2_004A356F
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe API coverage: 8.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe TID: 7292 Thread sleep time: -60000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004234C0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 0_2_004234C0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_0042B8A0 FindFirstFileA,FindClose, 0_2_0042B8A0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B60FD __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_004B60FD
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00419130 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 0_2_00419130
Source: uCLkYbZQoA.exe, 00000000.00000002.2893370678.00000000005A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWph^%SystemRoot%\system32\mswsock.dllkt
Source: uCLkYbZQoA.exe, 00000000.00000003.1699235413.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, uCLkYbZQoA.exe, 00000000.00000003.2300396487.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, uCLkYbZQoA.exe, 00000000.00000002.2893579159.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, uCLkYbZQoA.exe, 00000000.00000003.2300427638.00000000005E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00422D50 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_00422D50
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_00449020 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId, 0_2_00449020
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004A65E0 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_004A65E0
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B005F GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_004B005F
Source: C:\Users\user\Desktop\uCLkYbZQoA.exe Code function: 0_2_004B7F51 __EH_prolog,GetVersion, 0_2_004B7F51
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447638 Sample: uCLkYbZQoA.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 72 10 Multi AV Scanner detection for domain / URL 2->10 12 Antivirus detection for URL or domain 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 2 other signatures 2->16 5 uCLkYbZQoA.exe 2->5         started        process3 dnsIp4 8 47.110.247.171, 49732, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.110.247.171
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://47.110.247.171/login/login.php false
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://47.110.247.171/login/verup.php false
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown