Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Analysis ID: 1467090
MD5: da4b6f39fc024d2383d4bfe7f67f1ee1
SHA1: 7cc975d9ff785e269163897907d0b9b3cee29956
SHA256: 544697a024abaea1b24eaa3d89869b2c8a4c1acf96d4e152f5632d338d054c9e
Tags: exePovertyStealer
Infos:

Detection

Poverty Stealer
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Poverty Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F1C94 CryptUnprotectData,CryptProtectData, 0_2_038F1C94
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127982661.000000000ADA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B55D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF58000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ..pdbd source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2217953373.000000000DD83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2232450057.000000000E65E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2249922214.000000000EF30000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2196463844.000000000D505000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2265708286.000000000F7B6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2184249789.000000000CC2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2133914078.000000000B291000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2124729580.000000000AB3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2151669338.000000000BAFA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2162785923.000000000C3B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx6 source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188930924.000000000CFA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007E24BD FindFirstFileExW, 0_2_007E24BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 0_2_038F1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 0_2_038F4E27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F1D3C FindFirstFileW,FindNextFileW, 0_2_038F1D3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F40BA FindFirstFileW,FindNextFileW, 0_2_038F40BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F3EFC FindFirstFileW,FindNextFileW, 0_2_038F3EFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 146.70.169.164:2227
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49707 -> 146.70.169.164:2227
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 146.70.169.164 146.70.169.164
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TENET-1ZA TENET-1ZA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_00775B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 0_2_00775B80
Source: global traffic HTTP traffic detected: GET /fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001240000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49705 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC, 0_2_038F4BA2
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D1490 0_2_007D1490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007DD515 0_2_007DD515
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007E4775 0_2_007E4775
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007DBE09 0_2_007DBE09
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: String function: 007D0310 appears 51 times
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.spyw.evad.winEXE@1/0@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2224223067.000000000E144000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127982661.000000000ADA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B55D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF58000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ..pdbd source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2217953373.000000000DD83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2232450057.000000000E65E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2249922214.000000000EF30000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2196463844.000000000D505000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2265708286.000000000F7B6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2184249789.000000000CC2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2133914078.000000000B291000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2124729580.000000000AB3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2151669338.000000000BAFA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2162785923.000000000C3B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx6 source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188930924.000000000CFA6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_00775B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 0_2_00775B80
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D004B push ecx; ret 0_2_007D005E

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007E24BD FindFirstFileExW, 0_2_007E24BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 0_2_038F1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 0_2_038F4E27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F1D3C FindFirstFileW,FindNextFileW, 0_2_038F1D3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F40BA FindFirstFileW,FindNextFileW, 0_2_038F40BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F3EFC FindFirstFileW,FindNextFileW, 0_2_038F3EFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_038F2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_038F2054
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2115590508.000000000A431000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.co..microsoft.visualstudio.comVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.000000000124E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007D4383
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_00775B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 0_2_00775B80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007E5891 GetProcessHeap, 0_2_007E5891
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007D4383
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007D0495
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D0622 SetUnhandledExceptionFilter, 0_2_007D0622
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007D06F0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D013C cpuid 0_2_007D013C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: EnumSystemLocalesW, 0_2_007E5051
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_007E50DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetLocaleInfoW, 0_2_007DE096
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetLocaleInfoW, 0_2_007E532F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_007E5458
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetLocaleInfoW, 0_2_007E555E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_007E5634
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: EnumSystemLocalesW, 0_2_007DDBC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_007E4CBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: EnumSystemLocalesW, 0_2_007E4F6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: EnumSystemLocalesW, 0_2_007E4FB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe Code function: 0_2_007D038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_007D038F

Stealing of Sensitive Information
barindex
Yara detected Poverty Stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe PID: 6500, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected Poverty Stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe PID: 6500, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467090 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 03/07/2024 Architecture: WINDOWS Score: 84 10 bitbucket.org 2->10 16 Found malware configuration 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Yara detected Poverty Stealer 2->20 22 3 other signatures 2->22 6 SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe 12 2->6         started        signatures3 process4 dnsIp5 12 146.70.169.164, 2227, 49707 TENET-1ZA United Kingdom 6->12 14 bitbucket.org 104.192.141.1, 443, 49705 AMAZON-02US United States 6->14 24 Found evasive API chain (may stop execution after checking mutex) 6->24 26 Tries to harvest and steal browser information (history, passwords, etc) 6->26 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.192.141.1
 bitbucket.org United States
16509 AMAZON-02US false
146.70.169.164
 unknown United Kingdom
2018 TENET-1ZA true

Contacted Domains

Name IP Active
bitbucket.org 104.192.141.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee false
  • Avira URL Cloud: safe
 unknown
146.70.169.164:2227 true
  • Avira URL Cloud: safe
 unknown