Windows Analysis Report
09j4wHYrHs.exe

Overview

General Information

Sample name: 09j4wHYrHs.exe
renamed because original name is a hash value
Original sample name: c26ffcfad1b175fecb51e9b9724f63cbbd5e789ca9d075d7b9c5d88ae914078b.exe
Analysis ID: 1467012
MD5: b3370422cd4262297843df6f6b16d273
SHA1: 092f1aac2c72ead151585cd11712b4fa32ed4d39
SHA256: c26ffcfad1b175fecb51e9b9724f63cbbd5e789ca9d075d7b9c5d88ae914078b
Tags: exe
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Detected potential crypto function
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 09j4wHYrHs.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 09j4wHYrHs.exe ReversingLabs: Detection: 91%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: 09j4wHYrHs.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 09j4wHYrHs.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 09j4wHYrHs.exe, 00000000.00000003.1717928032.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000002.1718666692.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 09j4wHYrHs.exe, 00000000.00000003.1717928032.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000002.1718666692.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 09j4wHYrHs.exe, 00000000.00000003.1717928032.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000002.1718666692.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 09j4wHYrHs.exe, 00000000.00000003.1717928032.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000002.1718666692.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 09j4wHYrHs.exe, 00000000.00000002.1718562336.000000000043D000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1718060726.000000000042D000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1718115281.0000000000438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000002.1718562336.000000000043D000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1718060726.000000000042D000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1718115281.0000000000438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717928032.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000002.1718666692.00000000004B6000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.0000000000482000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 09j4wHYrHs.exe, 00000000.00000003.1717545447.0000000000441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: 09j4wHYrHs.exe, 00000000.00000003.1715347162.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1716891894.00000000004B5000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1715347162.000000000047F000.00000004.00000020.00020000.00000000.sdmp, 09j4wHYrHs.exe, 00000000.00000003.1717607037.00000000004B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Detected potential crypto function
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Code function: 0_2_00401988 0_2_00401988
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Code function: 0_2_004019EB 0_2_004019EB
Sample file is different than original file name gathered from version info
Source: 09j4wHYrHs.exe, 00000000.00000002.1718496532.000000000040A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamescsearch.exe vs 09j4wHYrHs.exe
Source: 09j4wHYrHs.exe Binary or memory string: OriginalFilenamescsearch.exe vs 09j4wHYrHs.exe
Uses 32bit PE files
Source: 09j4wHYrHs.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal68.spyw.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\09j4wHYrHs.exe File created: C:\Users\user\Desktop\config.xml Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\09j4wHYrHs.exe File created: C:\Users\user\AppData\Local\Temp\~DFAC1AC9EB40B6FD0C.TMP Jump to behavior
Source: 09j4wHYrHs.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\09j4wHYrHs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Process Where Name = 'chrome.exe'
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 09j4wHYrHs.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
PE file contains an invalid checksum
Source: 09j4wHYrHs.exe Static PE information: real checksum: 0x108c5 should be: 0xe347
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\09j4wHYrHs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Users\user\Desktop\09j4wHYrHs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467012 Sample: 09j4wHYrHs.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 68 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 AI detected suspicious sample 2->14 5 09j4wHYrHs.exe 2 2->5         started        process3 signatures4 16 Tries to harvest and steal browser information (history, passwords, etc) 5->16
No contacted IP infos