Windows Analysis Report
ZX7MDKtbfn.exe

Overview

General Information

Sample name: ZX7MDKtbfn.exe
renamed because original name is a hash value
Original sample name: 1aeb3a19d439d8a4a00313d12f463827.exe
Analysis ID: 1464724
MD5: 1aeb3a19d439d8a4a00313d12f463827
SHA1: beedd7366e1ef168595d800ebe013067c78775de
SHA256: b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d
Tags: exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://188.130.207.35/0b92e7ab19e861f9.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 1.2.cmd.exe.59100c8.7.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://188.130.207.35/0b92e7ab19e861f9.php"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk Virustotal: Detection: 59% Perma Link
Multi AV Scanner detection for submitted file
Source: ZX7MDKtbfn.exe Virustotal: Detection: 39% Perma Link
Source: ZX7MDKtbfn.exe ReversingLabs: Detection: 54%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetProcAddress
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: LoadLibraryA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: lstrcatA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: OpenEventA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateEventA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CloseHandle
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Sleep
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetUserDefaultLangID
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: VirtualAllocExNuma
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: VirtualFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetSystemInfo
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: VirtualAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HeapAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetComputerNameA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: lstrcpyA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetProcessHeap
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetCurrentProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: lstrlenA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ExitProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetSystemTime
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SystemTimeToFileTime
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: advapi32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: gdi32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: user32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: crypt32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ntdll.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetUserNameA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateDCA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetDeviceCaps
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ReleaseDC
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CryptStringToBinaryA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sscanf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: VMwareVMware
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HAL9TH
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: JohnDoe
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DISPLAY
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %hu/%hu/%hu
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: http://188.130.207.35
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: /0b92e7ab19e861f9.php
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: /c4633c2e8e686369/
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: night26
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetFileAttributesA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GlobalLock
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HeapFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetFileSize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GlobalSize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: IsWow64Process
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Process32Next
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetLocalTime
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: FreeLibrary
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetTimeZoneInformation
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetSystemPowerStatus
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetVolumeInformationA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Process32First
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetLocaleInfoA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetModuleFileNameA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DeleteFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: FindNextFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: LocalFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: FindClose
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: LocalAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetFileSizeEx
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ReadFile
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SetFilePointer
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: WriteFile
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: FindFirstFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CopyFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: VirtualProtect
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetLastError
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: lstrcpynA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: MultiByteToWideChar
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GlobalFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: WideCharToMultiByte
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GlobalAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: OpenProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: TerminateProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetCurrentProcessId
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: gdiplus.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ole32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: bcrypt.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: wininet.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: shlwapi.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: shell32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: psapi.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: rstrtmgr.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SelectObject
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BitBlt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DeleteObject
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateCompatibleDC
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdipGetImageEncoders
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdiplusStartup
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdiplusShutdown
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdipSaveImageToStream
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdipDisposeImage
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GdipFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetHGlobalFromStream
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CoUninitialize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CoInitialize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CoCreateInstance
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BCryptDecrypt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BCryptSetProperty
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BCryptDestroyKey
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetWindowRect
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetDesktopWindow
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetDC
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CloseWindow
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: wsprintfA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CharToOemW
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: wsprintfW
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RegQueryValueExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RegEnumKeyExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RegOpenKeyExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RegCloseKey
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RegEnumValueA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CryptBinaryToStringA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CryptUnprotectData
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SHGetFolderPathA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ShellExecuteExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: InternetOpenUrlA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: InternetConnectA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: InternetCloseHandle
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: InternetOpenA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HttpSendRequestA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HttpOpenRequestA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: InternetReadFile
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: InternetCrackUrlA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: StrCmpCA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: StrStrA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: StrCmpCW
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: PathMatchSpecA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: GetModuleFileNameExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RmStartSession
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RmRegisterResources
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RmGetList
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: RmEndSession
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_open
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_step
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_column_text
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_finalize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_close
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_column_bytes
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3_column_blob
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: encrypted_key
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: PATH
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: NSS_Init
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: NSS_Shutdown
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: PK11_FreeSlot
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: PK11_Authenticate
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: C:\ProgramData\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: browser:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: profile:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: url:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: login:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: password:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Opera
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: OperaGX
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Network
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: cookies
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: .txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: TRUE
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: FALSE
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: autofill
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: history
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: name:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: month:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: year:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: card:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Cookies
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Login Data
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Web Data
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: History
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: logins.json
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: formSubmitURL
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: usernameField
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: encryptedUsername
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: encryptedPassword
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: guid
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: cookies.sqlite
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: formhistory.sqlite
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: places.sqlite
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: plugins
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Local Extension Settings
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Sync Extension Settings
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: IndexedDB
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Opera Stable
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Opera GX Stable
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: CURRENT
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: chrome-extension_
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Local State
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: profiles.ini
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: chrome
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: opera
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: firefox
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: wallets
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %08lX%04lX%lu
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ProductName
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ProcessorNameString
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DisplayName
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DisplayVersion
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Network Info:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - IP: IP?
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Country: ISO?
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: System Summary:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - HWID:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - OS:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Architecture:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - UserName:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Computer Name:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Local Time:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - UTC:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Language:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Keyboards:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Laptop:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Running Path:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - CPU:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Threads:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Cores:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - RAM:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - Display Resolution:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: - GPU:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: User Agents:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Installed Apps:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: All Users:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Current User:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Process List:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: system_info.txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: freebl3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: mozglue.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: msvcp140.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: nss3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: softokn3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: vcruntime140.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Temp\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: .exe
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: runas
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: open
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: /c start
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %DESKTOP%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %APPDATA%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %USERPROFILE%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %DOCUMENTS%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %PROGRAMFILES%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: %RECENT%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: *.lnk
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: files
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \discord\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Local Storage\leveldb
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Telegram Desktop\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: key_datas
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: map*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: F8806DD0C461824F*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Telegram
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: *.tox
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: *.ini
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Password
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: 00000001
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: 00000002
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: 00000003
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: 00000004
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Pidgin
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \.purple\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: accounts.xml
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: token:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Software\Valve\Steam
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: SteamPath
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \config\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ssfn*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: config.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DialogConfig.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: libraryfolders.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: loginusers.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Steam\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: sqlite3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: browsers
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: done
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: soft
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: \Discord\tokens.txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: https
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: POST
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: HTTP/1.1
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: hwid
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: build
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: token
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: file_name
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: file
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: message
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.cmd.exe.59100c8.7.raw.unpack String decryptor: screenshot.jpg
Source: Binary string: ntdll.pdb source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000352C _invalid_parameter_noinfo,_invalid_parameter_noinfo,lstrlenW,FindFirstFileW,lstrlenW,FindClose, 0_2_000000014000352C

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://188.130.207.35/0b92e7ab19e861f9.php
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZX7MDKtbfn.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ZX7MDKtbfn.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: ZX7MDKtbfn.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: ZX7MDKtbfn.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: ZX7MDKtbfn.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ZX7MDKtbfn.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: ZX7MDKtbfn.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ZX7MDKtbfn.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: ZX7MDKtbfn.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: ZX7MDKtbfn.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: ZX7MDKtbfn.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.0000000005337000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: ZX7MDKtbfn.exe String found in binary or memory: http://www.softwareok.com
Source: ZX7MDKtbfn.exe String found in binary or memory: http://www.softwareok.comhttp://www.softwareok.deProgram
Source: ZX7MDKtbfn.exe String found in binary or memory: http://www.softwareok.de
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: ZX7MDKtbfn.exe String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000117C lstrlenW,OpenClipboard,EmptyClipboard,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_000000014000117C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000117C lstrlenW,OpenClipboard,EmptyClipboard,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_000000014000117C
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000235C OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_000000014000235C

System Summary
barindex
PE file has a writeable .text section
Source: tkqesalfwllvk.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_00000001400175F1 NtQuerySystemInformation, 0_2_00000001400175F1
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_00000001400175F1 NtQuerySystemInformation, 0_2_00000001400175F1
Detected potential crypto function
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_00000001400077F4 0_2_00000001400077F4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001B884 0_2_000000014001B884
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140004098 0_2_0000000140004098
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001E114 0_2_000000014001E114
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140029144 0_2_0000000140029144
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000A158 0_2_000000014000A158
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002F1A8 0_2_000000014002F1A8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002F9A8 0_2_000000014002F9A8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002C1C4 0_2_000000014002C1C4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140027244 0_2_0000000140027244
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000D250 0_2_000000014000D250
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002D264 0_2_000000014002D264
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002BAE8 0_2_000000014002BAE8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001B334 0_2_000000014001B334
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140024B40 0_2_0000000140024B40
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001E358 0_2_000000014001E358
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000F398 0_2_000000014000F398
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001AC0C 0_2_000000014001AC0C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_00000001400294A8 0_2_00000001400294A8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000ECDC 0_2_000000014000ECDC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140009CFC 0_2_0000000140009CFC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002FD18 0_2_000000014002FD18
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001FD20 0_2_000000014001FD20
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140022DB4 0_2_0000000140022DB4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002BDB4 0_2_000000014002BDB4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140029DB8 0_2_0000000140029DB8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_00000001400315E8 0_2_00000001400315E8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001CDFC 0_2_000000014001CDFC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002B60C 0_2_000000014002B60C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140032E34 0_2_0000000140032E34
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002C664 0_2_000000014002C664
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001A6A9 0_2_000000014001A6A9
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001E6F0 0_2_000000014001E6F0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140033730 0_2_0000000140033730
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140011F3C 0_2_0000000140011F3C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140034758 0_2_0000000140034758
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000F770 0_2_000000014000F770
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140021F7C 0_2_0000000140021F7C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002379C 0_2_000000014002379C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140004FDC 0_2_0000000140004FDC
PE / OLE file has an invalid certificate
Source: ZX7MDKtbfn.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.00000000029AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710142038.0000000002621000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewFileTime.exe vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNewFileTime.exe vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe Binary or memory string: OriginalFilenameNewFileTime.exe vs ZX7MDKtbfn.exe
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/3@0/0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140008924 CoCreateInstance, 0_2_0000000140008924
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000B4AC LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 0_2_000000014000B4AC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe File created: C:\Users\user\AppData\Roaming\NewFileTime Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe File created: C:\Users\user\AppData\Local\Temp\e41a1be0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: ZX7MDKtbfn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe File read: C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ZX7MDKtbfn.exe Virustotal: Detection: 39%
Source: ZX7MDKtbfn.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe File read: C:\Users\user\Desktop\ZX7MDKtbfn.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ZX7MDKtbfn.exe "C:\Users\user\Desktop\ZX7MDKtbfn.exe"
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe File written: C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini Jump to behavior
Source: ZX7MDKtbfn.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Binary string: ntdll.pdb source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140004C0C GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress, 0_2_0000000140004C0C
PE file contains sections with non-standard names
Source: tkqesalfwllvk.1.dr Static PE information: section name: nrb
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001A1C7 push FFFFFFF8h; retf 0_2_000000014001A1D1
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014001A5EF push rdx; retf 0_2_000000014001A5FD
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk Jump to dropped file
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000814C GetPrivateProfileStringW, 0_2_000000014000814C

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\cmd.exe File deleted: c:\users\user\desktop\zx7mdktbfn.exe Jump to behavior
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TKQESALFWLLVK
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140004C0C GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress, 0_2_0000000140004C0C

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6CC43B97
Source: C:\Windows\SysWOW64\explorer.exe API/Special instruction interceptor: Address: EDA317
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe API coverage: 6.4 %
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014000352C _invalid_parameter_noinfo,_invalid_parameter_noinfo,lstrlenW,FindFirstFileW,lstrlenW,FindClose, 0_2_000000014000352C
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140020980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140020980
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140004C0C GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress, 0_2_0000000140004C0C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140032648 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError, 0_2_0000000140032648
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140020980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140020980
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002E33C RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014002E33C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002DDC0 SetUnhandledExceptionFilter, 0_2_000000014002DDC0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140020EEC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140020EEC

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtCreateFile: Direct from: 0x7FFDFF1978EC Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtQuerySystemInformation: Direct from: 0x14E968 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtAllocateVirtualMemory: Direct from: 0xA0A76ACB Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtClose: Direct from: 0x14ECC8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtAllocateVirtualMemory: Direct from: 0x110 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtProtectVirtualMemory: Direct from: 0x254 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtAllocateVirtualMemory: Direct from: 0x7FFDFF1A8054 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtAllocateVirtualMemory: Direct from: 0x6DFA7E Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtProtectVirtualMemory: Direct from: 0x3 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtProtectVirtualMemory: Direct from: 0x27AFA50 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtCreateFile: Direct from: 0x80 Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe NtWriteFile: Direct from: 0x2ACDA30 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 332 base: 8B0000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 332 base: 7EF2D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 332 base: 7F01E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 332 base: ED79C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 332 base: 8C0000 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: ED79C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 8C0000 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_0000000140011A04 GetModuleFileNameW,ShellExecuteExW,PostQuitMessage, 0_2_0000000140011A04
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: GetLocaleInfoA, 0_2_00000001400328F0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_00000001400375E0 GetLocalTime,GetUserDefaultLCID,GetUserDefaultLangID,EnumDateFormatsW,EnumTimeFormatsW,EnumTimeFormatsW, 0_2_00000001400375E0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe Code function: 0_2_000000014002C1C4 ___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_000000014002C1C4

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1464724 Sample: ZX7MDKtbfn.exe Startdate: 30/06/2024 Architecture: WINDOWS Score: 100 21 Found malware configuration 2->21 23 Antivirus detection for URL or domain 2->23 25 Antivirus detection for dropped file 2->25 27 9 other signatures 2->27 7 ZX7MDKtbfn.exe 3 2->7         started        process3 signatures4 29 Maps a DLL or memory area into another process 7->29 31 Found direct / indirect Syscall (likely to bypass EDR) 7->31 10 cmd.exe 2 7->10         started        process5 file6 19 C:\Users\user\AppData\Local\...\tkqesalfwllvk, PE32 10->19 dropped 33 Injects code into the Windows Explorer (explorer.exe) 10->33 35 Deletes itself after installation 10->35 37 Writes to foreign memory regions 10->37 39 2 other signatures 10->39 14 explorer.exe 10->14         started        17 conhost.exe 10->17         started        signatures7 process8 signatures9 41 Switches to a custom stack to bypass stack traces 14->41
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://188.130.207.35/0b92e7ab19e861f9.php true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown