Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1458491
MD5: a564dbcbdc8924e627d6d8ee5c35cb68
SHA1: 419b4fe070e1270d951a7d3f34c1aace498ec938
SHA256: d4c2b86da22454e078e6b0227b77cc7b3f0c889c4a52d616b1f54d43790ad6e2
Tags: exe
Infos:

Detection

PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Enables security privileges
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.6% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: NEWdefault_setup.pdb source: file.exe
Source: Binary string: PE.pdbH] source: file.exe, 00000000.00000002.2042725412.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2057498658.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdb source: file.exe, 00000000.00000002.2042725412.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2057498658.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\uOxoA.pdb source: file.exe, 00000000.00000002.2047818630.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058833933.0000000004E90000.00000004.08000000.00040000.00000000.sdmp

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.0.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,]q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,]q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2047818630.00000000036B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ConstBaseUri/ConstService.svc/
Source: file.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe String found in binary or memory: http://www.georss.org/georss
Source: file.exe String found in binary or memory: http://www.iana.org/assignments/relation/
Source: file.exe String found in binary or memory: http://www.opengis.net/gml
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: file.exe String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Installs a raw input device (often for capturing keystrokes)
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003489000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_80035411-9

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.3cbeeb0.6.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3b86830.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3d270e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3cbeeb0.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3beea60.3.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3b86830.5.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3d270e0.4.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3beea60.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3a3f010.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.38f77e0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.file.exe.3beea60.3.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D55CD0 0_2_00D55CD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D560B8 0_2_00D560B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D560A8 0_2_00D560A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D55CC1 0_2_00D55CC1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05011A40 0_2_05011A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05011A3F 0_2_05011A3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_03107750 2_2_03107750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_03107740 2_2_03107740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_03107498 2_2_03107498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0310748B 2_2_0310748B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0581274C 2_2_0581274C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05813611 2_2_05813611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05811613 2_2_05811613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05811667 2_2_05811667
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05811668 2_2_05811668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05810CA8 2_2_05810CA8
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Security Jump to behavior
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.2035000777.0000000000022000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNEWdefault_setup.exe$ vs file.exe
Source: file.exe, 00000000.00000002.2047818630.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMummifies.exe" vs file.exe
Source: file.exe, 00000000.00000002.2047818630.00000000037AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuOxoA.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2058833933.0000000004E90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameuOxoA.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2047818630.0000000003D22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMummifies.exe" vs file.exe
Source: file.exe, 00000000.00000002.2042725412.00000000026B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs file.exe
Source: file.exe, 00000000.00000002.2042725412.00000000027B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs file.exe
Source: file.exe, 00000000.00000002.2042725412.00000000027B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.2042725412.00000000027B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.2057498658.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs file.exe
Source: file.exe, 00000000.00000002.2047818630.0000000003DF2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMummifies.exe" vs file.exe
Source: file.exe, 00000000.00000002.2041785195.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2047818630.0000000003D8A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMummifies.exe" vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameNEWdefault_setup.exe$ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.file.exe.3cbeeb0.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3b86830.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3d270e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3cbeeb0.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3beea60.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3b86830.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3d270e0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3beea60.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3a3f010.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.38f77e0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.4e90000.9.raw.unpack, BxuDLR.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.file.exe.3beea60.3.raw.unpack, PBE.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.3beea60.3.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3beea60.3.raw.unpack, A2H1lUZ15GsIooGy4G.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3beea60.3.raw.unpack, A2H1lUZ15GsIooGy4G.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3beea60.3.raw.unpack, Strings.cs Base64 encoded string: 'JVMXKSwwAjs5OBgRIiITGjkHQQIEKjk5NhMQDiNSHx0yRjMIMF0mISELJSk2Ow0BMhY6FggATSIVN19R'
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 3779768 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x36d400
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NEWdefault_setup.pdb source: file.exe
Source: Binary string: PE.pdbH] source: file.exe, 00000000.00000002.2042725412.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2057498658.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdb source: file.exe, 00000000.00000002.2042725412.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2057498658.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\uOxoA.pdb source: file.exe, 00000000.00000002.2047818630.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058833933.0000000004E90000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.file.exe.3beea60.3.raw.unpack, A2H1lUZ15GsIooGy4G.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5038D push esp; ret 0_2_00D502D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D54374 push ds; iretd 0_2_00D54377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0310E3E0 push 1C0578C3h; ret 2_2_0310E3E5
Source: 0.2.file.exe.3beea60.3.raw.unpack, StringDecrypt.cs High entropy of concatenated method names: 'Xor', 'FromBase64', 'BytesToStringConverted', 'Read', 'EKO0Z7Pxk5gWC6CJcr0', 'qBdTaqPivXhTI3xrOcO', 'uR1x7APWCHDi3duJ9Tx', 'pFlcW5PuNVuqUGO2UJt', 'xIkIb8PhUB9WSy6mhot'
Source: 0.2.file.exe.3beea60.3.raw.unpack, Form1.cs High entropy of concatenated method names: '_003CReadLine_003Eb__2_0', 'nKlPPFrBuOyguttl2JG', 'lQoKE4rMglU8oT2E9Cr', 'Px2onyrZlJxFTURnuB1', 'Form1_Load', 'ReadLine', 'Dispose', 'InitializeComponent', 'zvQxIsEK9FcxKGjfoCU', 'TlXsgrEvaMfHZ8XbFxi'
Source: 0.2.file.exe.3beea60.3.raw.unpack, Strings.cs High entropy of concatenated method names: 'Init', 'Decrypt', 'Get', 'r7RSSvUpLinc0hcMarE', 'VaXVGCUMned0u2TkY9I', 'JquY6lUZ8rJsN2Ot347', 'Mg7ENNUKwMyuxX13CQ1', 'cjRk6dUvCgs6IygYJn7', 'ab1THGUlEVjfj4bowFo'
Source: 0.2.file.exe.3beea60.3.raw.unpack, IPv4Helper.cs High entropy of concatenated method names: 'IsLocalIp', 'GetDefaultIPv4Address', 'Request', 'tXwG1jU8BDU8MUgF25s', 'KXofDZUmQ7Z9O90iFjE', 'OFCIsDUk20WFhUxbhl0', 'YYSPA3UHCwGFouB6HEE', 'mc7ylqUshLxRD9mHyEh', 'u8wBw8Uej1O94X1bxYT'
Source: 0.2.file.exe.3beea60.3.raw.unpack, Auhi.cs High entropy of concatenated method names: 'I\u04341', 'I\u04342', 'I\u04343', 'I\u04344', 'WIqEIfnUEBeHJB2kQ8N', 'LjqOtonGdhfi1cAvGO7', 'q1wuYNnfWTDZIXAalCj', 'uCpsyAnrWpUFgkZ3xNX', 'og9qXQnOosJ1t9ECtwu', 'PcvdUanw7AhqJhcyo0k'
Source: 0.2.file.exe.3beea60.3.raw.unpack, FieldRootRoot.cs High entropy of concatenated method names: 'Field1', 'Rerwkjnk2k92Dke6bTh', 'UivWd5nHPyQoGipavk4', 'r1cLQ8nsd2pXcoDjMtw', 'C2VTVmneLXAk5oR8sKL', 'O7riNHnBhAwWNmVsPir', 'dB5qu9n8yJhgxMxpWpo', 'HpvuoinmqHATWBT0YIJ'
Source: 0.2.file.exe.3beea60.3.raw.unpack, FieldRoot19.cs High entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'mfsisq754Lbo2iZZOfT', 'W5Lm4W7zDsCRXmZPweY', 'vdOuk6n4ZAgsmnjOsNM', 'sToChBnX867tvhKnFfy', 'MKWOVw7b5w6PKeMON9f', 'cxmU4m7J0jKN3dH5GIt'
Source: 0.2.file.exe.3beea60.3.raw.unpack, TripleDes.cs High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'bgOklRPoJM4PVpCOJPS', 'Aqbei7Pbaem13Nme1Pr', 'sYQBXNPJnVCylvDEZCM', 'CAGZ8SP5U9LHRSOZAWr', 'SoXfIHPzfNbCG33KH0H', 'vBbaUyU4jH7To54Nw2I'
Source: 0.2.file.exe.3beea60.3.raw.unpack, A2H1lUZ15GsIooGy4G.cs High entropy of concatenated method names: 'DywKPUObIYCXCwNx7Gb', 'xs9vAXOJnaMeDGpwPIB', 'LtQPyoxJn7', 'Mywb1mwXpGGFtTeXGfD', 'jVh2E3wLZXU8S9kxkgh', 'wDA3gjwjSrCoI6wpEjs', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk'
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\]Q
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,]Q
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 9E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 46B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 5230000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 2716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1308 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,]q
Source: file.exe Binary or memory string: YDKWYRQAKCYLLBPMZEKWHAEKDPRLFSWRDJHEYALGLZKWYEIAHFEMTD
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\]q
Source: file.exe Binary or memory string: gqvJFvQEmUBCxZCkaXZy
Source: file.exe Binary or memory string: Qemu5sffh1WhJCD4BaL
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 456000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46C000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1046008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003489000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000002.00000002.2055185059.0000000003489000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3a3f010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.38f77e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2047818630.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2047476095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047818630.0000000003D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047818630.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2035000777.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047818630.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3a3f010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.38f77e0.7.raw.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3a3f010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.38f77e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2047818630.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2047476095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047818630.0000000003D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047818630.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2035000777.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047818630.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3cbeeb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3b86830.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d270e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3beea60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3a3f010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.38f77e0.7.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1458491 Sample: file.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 18 Malicious sample detected (through community Yara rule) 2->18 20 Yara detected PureLog Stealer 2->20 22 Yara detected zgRAT 2->22 24 6 other signatures 2->24 7 file.exe 3 2->7         started        process3 file4 16 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->16 dropped 26 Writes to foreign memory regions 7->26 28 Allocates memory in foreign processes 7->28 30 Injects a PE file into a foreign processes 7->30 11 MSBuild.exe 4 7->11         started        signatures5 process6 signatures7 32 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->32 14 conhost.exe 11->14         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true