Windows Analysis Report
1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Overview

General Information

Sample name:	1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Analysis ID:	1467918
MD5:	dd1bd551108f3ec1e9e775c7b09a0e1c
SHA1:	418ec6e49557849276c4a8198b92eff0af4b957f
SHA256:	e347ded6059659a1c81d016b64bb550d7fe94fb789957ed5f312eacebb8944db
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe

Avira: detection malicious, Label: TR/Spy.Gen8

Found malware configuration

Source: 1.2.fMNDB.exe.3546458.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.raczki.pl", "Username": "wojt@raczki.pl", "Password": "obslugaradygminy"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:

Binary string: _.pdb source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1740970421.0000000000762000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.49.148.195:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.49.148.195 185.49.148.195

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PL-BEYOND-ASPL PL-BEYOND-ASPL

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.49.148.195:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.raczki.pl

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/dvcasha2.crl0q
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dvcasha2.ocsp-certum.com04
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.raczki.pl
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raczki.pl
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/dvcasha2.cer0
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, SKTzxzsJw.cs

.Net Code: JTHNI

System Summary

Malicious sample detected (through community Yara rule)

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0219CC78	0_2_0219CC78
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0219D890	0_2_0219D890
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_02190F40	0_2_02190F40
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_02190FD0	0_2_02190FD0
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0219CFC0	0_2_0219CFC0
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_02191030	0_2_02191030
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_02778AC8	0_2_02778AC8
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_027758E8	0_2_027758E8
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0277E6C8	0_2_0277E6C8
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0277C418	0_2_0277C418
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_02770040	0_2_02770040
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_02770007	0_2_02770007
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0277B608	0_2_0277B608
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_05B699A9	0_2_05B699A9
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_05B65A90	0_2_05B65A90
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_05B64AF8	0_2_05B64AF8
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_05B67F58	0_2_05B67F58
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_05B609F8	0_2_05B609F8
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0636DA89	0_2_0636DA89
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_063678E0	0_2_063678E0
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_06366078	0_2_06366078
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_020BCC78	1_2_020BCC78
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_020BD890	1_2_020BD890
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_020BCFC0	1_2_020BCFC0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_020B0FD0	1_2_020B0FD0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_020B1030	1_2_020B1030
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B3E598	1_2_05B3E598
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B3C2C0	1_2_05B3C2C0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B352C8	1_2_05B352C8
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B38D0F	1_2_05B38D0F
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B3ECBF	1_2_05B3ECBF
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B30013	1_2_05B30013
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B30040	1_2_05B30040
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B699A9	1_2_05B699A9
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B67CA0	1_2_05B67CA0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B65A98	1_2_05B65A98
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B646FA	1_2_05B646FA
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B609F8	1_2_05B609F8
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_0077D8A0	3_2_0077D8A0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_0077CC88	3_2_0077CC88
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_0077CFD0	3_2_0077CFD0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_00771030	3_2_00771030
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_00770FD0	3_2_00770FD0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059FE598	3_2_059FE598
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059F578A	3_2_059F578A
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059F8968	3_2_059F8968
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059FC2C0	3_2_059FC2C0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059FECBF	3_2_059FECBF
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059F0006	3_2_059F0006
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059F0040	3_2_059F0040
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_05A246FB	3_2_05A246FB
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_05A27CA0	3_2_05A27CA0
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_05A299A9	3_2_05A299A9
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_05A25A98	3_2_05A25A98
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_05A209F8	3_2_05A209F8
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_06237400	3_2_06237400
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_0623D5E9	3_2_0623D5E9
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_06235B98	3_2_06235B98

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Code function: String function: 0040E1D8 appears 43 times

Sample file is different than original file name gathered from version info

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1624911204.0000000000849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2891200196.0000000000198000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Binary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Uses 32bit PE files

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9948172982283464
Source: fMNDB.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9948172982283464

Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

0_2_004019F0

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

File created: C:\Users\user\AppData\Roaming\fMNDB

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe "C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Static PE information: real checksum: 0x23bfb should be: 0x42aeb
Source: fMNDB.exe.0.dr	Static PE information: real checksum: 0x23bfb should be: 0x42aeb

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd	0_2_0040BBA3
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0219435B push esp; iretd	0_2_02194361
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0636B0A5 push es; ret	0_2_0636B0AC
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_06360C80 push es; ret	0_2_06360C90
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_020B435B push esp; iretd	1_2_020B4361
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 1_2_05B68408 push eax; retf	1_2_05B68411
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_0077435B push esp; iretd	3_2_00774361
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_059F431F pushad ; iretd	3_2_059F4335
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 3_2_06230790 push es; ret	3_2_062307A0

Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMNDB			Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMNDB			Jump to behavior

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Memory allocated: 23C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Memory allocated: 2070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Memory allocated: 2540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Memory allocated: 770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Memory allocated: 24C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Window / User API: threadDelayed 1401	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Window / User API: threadDelayed 8178	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Window / User API: threadDelayed 2932	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Window / User API: threadDelayed 6913	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Window / User API: threadDelayed 6557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Window / User API: threadDelayed 2667	Jump to behavior

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Last function: Thread delayed

Source: fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416F6A
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893613189.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893613189.000000000260F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893797859.00000000027DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1832183101.000000000258F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1832183101.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fMNDB.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fMNDB.exe PID: 7796, type: MEMORYSTR

Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

ID:	1467918
Product:	CloudBasic
Start time:	01:28:05
Start date:	05.07.2024
Sample:	1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dd1bd551108f3ec1e9e775c7b09a0e1c
SHA1:	418ec6e49557849276c4a8198b92eff0af4b957f
SHA256:	e347ded6059659a1c81d016b64bb550d7fe94fb789957ed5f312eacebb8944db
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DD1BD551108F3EC1E9E775C7B09A0E1C	418EC6E49557849276C4A8198B92EFF0AF4B957F	E347DED6059659A1C81D016B64BB550D7FE94FB789957ED5F312EACEBB8944DB
C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Malware Threat Intel
Provided by