Windows Analysis Report
pDHKarOK2v.exe

Overview

General Information

Sample name: pDHKarOK2v.exe
renamed because original name is a hash value
Original sample name: 83191f9561b65c2ebb2c95827de22c10.exe
Analysis ID: 1465867
MD5: 83191f9561b65c2ebb2c95827de22c10
SHA1: b3bbe9ec2991bbc6213d1bf66221f5394e48d3ca
SHA256: 8ecfab17b6ecc5b0c7ca6d51373042d9afdaf10c9e03440828f940de68227cd9
Tags: exeVidar
Infos:

Detection

CryptOne, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199707802586 Avira URL Cloud: Label: malware
Source: https://t.me/g067n Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "f5b5622f4f4fc7235c0e9e6367cafc13"}
Multi AV Scanner detection for submitted file
Source: pDHKarOK2v.exe Virustotal: Detection: 40% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: pDHKarOK2v.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: I8S%
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: usernameField
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: a GX Stable
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: uctName
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: layVersion
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: sktop\
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: F783D5D3EF8C*
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: T=@?VDX;W:R1J )M$
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: #5EG P%:{
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: ystemInfo
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: 304FDQ8L\h$
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: %hu/%hu
Source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack String decryptor: ero\wallet.k9ys

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Unpacked PE file: 2.2.katC422.tmp.20130000.0.unpack
Uses 32bit PE files
Source: pDHKarOK2v.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor URLs: https://t.me/g067n
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49711 -> 49.13.159.121:9000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: global traffic HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: t.me
Source: katC422.tmp, 00000002.00000003.2155967589.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2275940732.00000000008AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: katC422.tmp, 00000002.00000002.3345409329.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: katC422.tmp, 00000002.00000002.3345409329.00000000007B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
Source: pDHKarOK2v.exe, 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000000.2096817178.00000000004B4000.00000002.00000001.01000000.00000004.sdmp, katC422.tmp.0.dr String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: katC422.tmp, 00000002.00000003.2140481149.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352160364.000000002037D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.2.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: katC422.tmp, 00000002.00000003.2276254993.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.1
Source: katC422.tmp, 00000002.00000002.3345868978.0000000000817000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2302338504.0000000000816000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2297205059.0000000000812000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.3230716161.0000000000816000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121/
Source: katC422.tmp, 00000002.00000002.3345868978.0000000000817000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2302338504.0000000000816000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2297205059.0000000000812000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.3230716161.0000000000816000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121/b
Source: katC422.tmp, 00000002.00000003.3230716161.00000000007E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000
Source: katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2289095428.000000000087D000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2287681886.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/
Source: katC422.tmp, 00000002.00000003.3230716161.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/159.121:9000/freebl3.dll
Source: katC422.tmp, 00000002.00000003.3230716161.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/159.121:9000/msvcp140.dll
Source: katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/:0
Source: katC422.tmp, 00000002.00000003.2286588934.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2288693962.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2289095428.000000000087D000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2287681886.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/B7
Source: katC422.tmp, 00000002.00000003.2301990990.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346029837.000000000087E000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/D
Source: katC422.tmp, 00000002.00000003.2286588934.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2288693962.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2289095428.000000000087D000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2287681886.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/J0
Source: katC422.tmp, 00000002.00000003.2301990990.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2296801499.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2299936389.000000000087D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/L
Source: katC422.tmp, 00000002.00000003.2301990990.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2296801499.000000000087A000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2299936389.000000000087D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/R
Source: katC422.tmp, 00000002.00000002.3346029837.000000000087E000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/X
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/c530icrosoft
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/cal
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2301685212.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346448498.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2302338504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2301685212.00000000009C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/freebl3.dll
Source: katC422.tmp, 00000002.00000003.2301685212.00000000009C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/freebl3.dll)Fqc?
Source: katC422.tmp, 00000002.00000003.2301685212.00000000009C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/freebl3.dll)MIb
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/freebl3.dllft
Source: katC422.tmp, 00000002.00000003.2301685212.00000000009C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/freebl3.dllmFMc5
Source: katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/j00b
Source: katC422.tmp, 00000002.00000003.3230716161.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/lowedCert_AutoUpdate_1
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346448498.00000000009C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/mozglue.dll
Source: katC422.tmp, 00000002.00000003.3230716161.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/mozglue.dll4
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/mozglue.dllft
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/mozglue.dllposition:
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346448498.00000000009C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/msvcp140.dllt
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/nss3.dll
Source: katC422.tmp, 00000002.00000002.3346448498.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/nss3.dllhx
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/nss3.dllosoft
Source: katC422.tmp, 00000002.00000002.3346448498.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/nss3.dlltx
Source: katC422.tmp, 00000002.00000003.3230716161.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/r
Source: katC422.tmp, 00000002.00000003.3230343222.000000000087A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/r0(b
Source: katC422.tmp, 00000002.00000003.3230716161.000000000080C000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2302338504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/soft
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346448498.00000000009C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/softokn3.dll
Source: katC422.tmp, 00000002.00000002.3346448498.00000000009C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/softokn3.dllZL
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/softokn3.dllt
Source: katC422.tmp, 00000002.00000003.2288952609.00000000009D9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346448498.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2273930953.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2287445433.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2288510535.00000000009D9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2301685212.00000000009D9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2299686257.00000000009D9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2302338504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3345409329.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2296525829.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/sqlt.dll
Source: katC422.tmp, 00000002.00000003.3230343222.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dll
Source: katC422.tmp, 00000002.00000003.3230343222.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346155752.00000000008AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dlletsC
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllge
Source: katC422.tmp, 00000002.00000003.3230343222.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346155752.00000000008AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllpet
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:90000c530oogle
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000el
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000oaming
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000ocal
Source: katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.159.121:9000srss.exe
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: pDHKarOK2v.exe, 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097882429.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097925927.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000425000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: pDHKarOK2v.exe, 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097882429.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097925927.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000425000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: katC422.tmp, 00000002.00000002.3345409329.000000000076E000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3345409329.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: pDHKarOK2v.exe, 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097882429.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097925927.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000425000.00000040.00000400.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2302338504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3345409329.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2140481149.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067n
Source: pDHKarOK2v.exe, 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097882429.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, pDHKarOK2v.exe, 00000000.00000002.2097925927.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3344136913.0000000000425000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: katC422.tmp, 00000002.00000003.2140481149.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.3230716161.00000000007E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: katC422.tmp, 00000002.00000003.2287681886.0000000000871000.00000004.00000020.00020000.00000000.sdmp, FCFBFH.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49710 version: TLS 1.2
Yara detected Keylogger Generic
Source: Yara match File source: 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pDHKarOK2v.exe PID: 4388, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FB510 NtProtectVirtualMemory,NtProtectVirtualMemory, 0_2_029FB510
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FB250 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification, 0_2_029FB250
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FBEF0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess, 0_2_029FBEF0
Detected potential crypto function
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FC510 0_2_029FC510
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20144CF0 2_2_20144CF0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201BA0B0 2_2_201BA0B0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013209F 2_2_2013209F
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201347AF 2_2_201347AF
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2015A560 2_2_2015A560
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2022A590 2_2_2022A590
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201466C0 2_2_201466C0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2026E800 2_2_2026E800
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20133E3B 2_2_20133E3B
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013481D 2_2_2013481D
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2024A900 2_2_2024A900
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2022A940 2_2_2022A940
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_202169C0 2_2_202169C0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013AA40 2_2_2013AA40
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013EA80 2_2_2013EA80
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201319DD 2_2_201319DD
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2030AEBE 2_2_2030AEBE
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20176E80 2_2_20176E80
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20192EE0 2_2_20192EE0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013F160 2_2_2013F160
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013174E 2_2_2013174E
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20163370 2_2_20163370
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20167810 2_2_20167810
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013251D 2_2_2013251D
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2015BAB0 2_2_2015BAB0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013290A 2_2_2013290A
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20258030 2_2_20258030
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201B0090 2_2_201B0090
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201B8120 2_2_201B8120
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20133AB2 2_2_20133AB2
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20270480 2_2_20270480
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20158680 2_2_20158680
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20158763 2_2_20158763
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20194760 2_2_20194760
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201C8760 2_2_201C8760
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013C800 2_2_2013C800
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20131EF1 2_2_20131EF1
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20234A60 2_2_20234A60
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20158D2A 2_2_20158D2A
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2016CE10 2_2_2016CE10
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20149000 2_2_20149000
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20255040 2_2_20255040
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2030D209 2_2_2030D209
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20133580 2_2_20133580
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201C53B0 2_2_201C53B0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20299430 2_2_20299430
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013D4C0 2_2_2013D4C0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201D9690 2_2_201D9690
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201ED6D0 2_2_201ED6D0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20131C9E 2_2_20131C9E
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201E5940 2_2_201E5940
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20259A20 2_2_20259A20
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20132018 2_2_20132018
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20161C50 2_2_20161C50
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2013292D 2_2_2013292D
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20299CC0 2_2_20299CC0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201312A8 2_2_201312A8
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20132AA9 2_2_20132AA9
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: String function: 203106B1 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: String function: 20131F5A appears 36 times
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: String function: 20131C2B appears 47 times
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: String function: 2013415B appears 173 times
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: String function: 20133AF3 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: String function: 2013395E appears 81 times
Sample file is different than original file name gathered from version info
Source: pDHKarOK2v.exe, 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResHack! vs pDHKarOK2v.exe
Uses 32bit PE files
Source: pDHKarOK2v.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/12@1/2
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\0813XZA8.htm Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe File created: C:\Users\user\AppData\Local\Temp\katC422.tmp Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: katC422.tmp, 00000002.00000002.3345409329.000000000076E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT url FROM urls LIMIT 1000O;
Source: katC422.tmp, katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: katC422.tmp, katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: katC422.tmp, 00000002.00000003.2296801499.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2299936389.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2286588934.0000000000862000.00000004.00000020.00020000.00000000.sdmp, AAKEGD.2.dr, AECAEC.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: katC422.tmp, katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: pDHKarOK2v.exe Virustotal: Detection: 40%
Source: unknown Process created: C:\Users\user\Desktop\pDHKarOK2v.exe "C:\Users\user\Desktop\pDHKarOK2v.exe"
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Process created: C:\Users\user\AppData\Local\Temp\katC422.tmp C:\Users\user\AppData\Local\Temp\katC422.tmp
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Process created: C:\Users\user\AppData\Local\Temp\katC422.tmp C:\Users\user\AppData\Local\Temp\katC422.tmp Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: pDHKarOK2v.exe Static file information: File size 1717248 > 1048576
Source: pDHKarOK2v.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x12ae00
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katC422.tmp, 00000002.00000002.3351982838.0000000020348000.00000002.00001000.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3352553847.000000002BC21000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Unpacked PE file: 2.2.katC422.tmp.20130000.0.unpack
PE file contains sections with non-standard names
Source: sqlt[1].dll.2.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FCA10 push edx; ret 0_2_029FCC1F
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FC310 push edx; ret 0_2_029FC31B
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201310C8 push ecx; ret 2_2_20333552
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20131BF9 push ecx; ret 2_2_202D4C03
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\pDHKarOK2v.exe File created: C:\Users\user\AppData\Local\Temp\katC422.tmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon.png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp API coverage: 0.8 %
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: HIDGCF.2.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: HIDGCF.2.dr Binary or memory string: discord.comVMware20,11696487552f
Source: HIDGCF.2.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: HIDGCF.2.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: HIDGCF.2.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: katC422.tmp, 00000002.00000002.3345409329.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: katC422.tmp, 00000002.00000002.3345409329.000000000076E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: HIDGCF.2.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: global block list test formVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: HIDGCF.2.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: HIDGCF.2.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: HIDGCF.2.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: HIDGCF.2.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: HIDGCF.2.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: HIDGCF.2.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: HIDGCF.2.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: katC422.tmp, 00000002.00000002.3345409329.000000000076E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: HIDGCF.2.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: HIDGCF.2.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: HIDGCF.2.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: HIDGCF.2.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: HIDGCF.2.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: HIDGCF.2.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20132C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_20132C8E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201346A6 GetProcessHeap, 2_2_201346A6
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20132C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_20132C8E
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201342AF SetUnhandledExceptionFilter, 2_2_201342AF

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: pDHKarOK2v.exe PID: 4388, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory allocated: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Code function: 0_2_029FBEF0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess, 0_2_029FBEF0
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory written: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Section unmapped: C:\Users\user\AppData\Local\Temp\katC422.tmp base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory written: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory written: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory written: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 425000 Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory written: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 42E000 Jump to behavior
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Memory written: C:\Users\user\AppData\Local\Temp\katC422.tmp base: 643000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\pDHKarOK2v.exe Process created: C:\Users\user\AppData\Local\Temp\katC422.tmp C:\Users\user\AppData\Local\Temp\katC422.tmp Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_2013298C
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: EnumSystemLocalesW, 2_2_2030FF17
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: GetLocaleInfoW, 2_2_20132112
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: GetLocaleInfoW, 2_2_20132112
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_202D4323 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_202D4323
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20314A46 GetTimeZoneInformation, 2_2_20314A46
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: katC422.tmp, 00000002.00000003.2273930953.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3346448498.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000003.2296525829.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, katC422.tmp, 00000002.00000002.3345409329.000000000076E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.2097682899.00000000029FB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.29c7719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.3fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.2bc0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.2bc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.29c7719.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2097882429.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2097925927.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pDHKarOK2v.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: katC422.tmp PID: 6440, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: katC422.tmp PID: 6440, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.2097682899.00000000029FB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.pDHKarOK2v.exe.3fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.29c7719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.3fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.2bc0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.2bc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pDHKarOK2v.exe.29c7719.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2097882429.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2097682899.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2097925927.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3344136913.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pDHKarOK2v.exe PID: 4388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: katC422.tmp PID: 6440, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2019E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_2019E090
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201AE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_201AE170
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2019E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 2_2_2019E200
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201466C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_201466C0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201AA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 2_2_201AA6F0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2018EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 2_2_2018EF30
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2015B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64, 2_2_2015B400
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201F3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_201F3770
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_202137E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_202137E0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20167810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_20167810
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20214140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 2_2_20214140
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201A8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 2_2_201A8200
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20168430 sqlite3_bind_int64, 2_2_20168430
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20188550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset, 2_2_20188550
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20158680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64, 2_2_20158680
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201806E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 2_2_201806E0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20144820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize, 2_2_20144820
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20168970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 2_2_20168970
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20168CB0 sqlite3_bind_zeroblob, 2_2_20168CB0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20214D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_20214D40
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20160FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_20160FB0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201C9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf, 2_2_201C9090
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201D51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_201D51D0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201ED3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_201ED3B0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2025D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_2025D4F0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_202514D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_202514D0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201D55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_201D55B0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2020D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_2020D610
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201D5910 sqlite3_mprintf,sqlite3_bind_int64, 2_2_201D5910
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_2025D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_2025D9E0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201ADB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_201ADB10
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_20145C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_20145C70
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201ADFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset, 2_2_201ADFC0
Source: C:\Users\user\AppData\Local\Temp\katC422.tmp Code function: 2_2_201B1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_201B1FE0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465867 Sample: pDHKarOK2v.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 20 t.me 2->20 22 bg.microsoft.map.fastly.net 2->22 28 Found malware configuration 2->28 30 Antivirus detection for URL or domain 2->30 32 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->32 34 8 other signatures 2->34 7 pDHKarOK2v.exe 1 2->7         started        signatures3 process4 file5 16 C:\Users\user\AppData\Local\...\katC422.tmp, PE32 7->16 dropped 36 Contains functionality to inject code into remote processes 7->36 38 Writes to foreign memory regions 7->38 40 Allocates memory in foreign processes 7->40 42 2 other signatures 7->42 11 katC422.tmp 29 7->11         started        signatures6 process7 dnsIp8 24 t.me 149.154.167.99, 443, 49710 TELEGRAMRU United Kingdom 11->24 26 49.13.159.121, 49711, 49714, 49715 HETZNER-ASDE Germany 11->26 18 C:\Users\user\AppData\Local\...\sqlt[1].dll, PE32 11->18 dropped 44 Detected unpacking (creates a PE file in dynamic memory) 11->44 46 Tries to harvest and steal browser information (history, passwords, etc) 11->46 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
49.13.159.121
 unknown Germany
24940 HETZNER-ASDE false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199707802586 true
  • Avira URL Cloud: malware
 unknown
https://t.me/g067n true
  • Avira URL Cloud: malware
 unknown