Windows Analysis Report
6xmBUtHylU.exe

Overview

General Information

Sample name:	6xmBUtHylU.exe renamed because original name is a hash value
Original sample name:	b82c80a3ce9b5c44391d3f11307f8b8e.exe
Analysis ID:	1467945
MD5:	b82c80a3ce9b5c44391d3f11307f8b8e
SHA1:	7480059bc051383eaaf0d83b7f39d7c4989e4dea
SHA256:	ce9b5ec3693188ed91e363e55286cd212f44912b042bd83a924af2f43daaa55f
Tags:	64exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://citizencenturygoodwk.shop:443/api	Avira URL Cloud: Label: malware
Source: https://citizencenturygoodwk.shop/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.BitLockerToGo.exe.230000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "citizencenturygoodwk.shop"], "Build id": "LPnhqo--@SEFYALUV"}

Multi AV Scanner detection for domain / URL

Source: citizencenturygoodwk.shop

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for submitted file

Source: 6xmBUtHylU.exe	ReversingLabs: Detection: 42%
Source: 6xmBUtHylU.exe	Virustotal: Detection: 30%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: benchillppwo.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: publicitttyps.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: answerrsdo.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: radiationnopp.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: affecthorsedpo.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bargainnykwo.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bannngwko.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bouncedgowp.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: citizencenturygoodwk.shop
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LPnhqo--@SEFYALUV

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00246CD0 CryptUnprotectData,

3_2_00246CD0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2

Source: 6xmBUtHylU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp, 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0024E880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00248088
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+68h]	3_2_0024709B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, ecx	3_2_0024709B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00250BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+24h], 0000005Ch	3_2_00263425
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	3_2_00239C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00258C4B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	3_2_0023F490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	3_2_00265512
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0024662A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	3_2_0024AF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00246790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [00273570h]	3_2_0025302C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	3_2_00231072
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+00000124h], ecx	3_2_00258087
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_002400F1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00255920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi+eax*4], dx	3_2_00238130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	3_2_00238130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	3_2_0023C113
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00253142
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	3_2_002699C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	3_2_00256A83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	3_2_0024F283
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc ebx	3_2_00245A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0023E2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, eax	3_2_00233350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_0024ABB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00260B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_0024DBEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_0024DBEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+24h]	3_2_002403C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_00267442
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	3_2_00232CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_00252C9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	3_2_00269CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	3_2_002504D6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	3_2_00239510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	3_2_00239510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00233510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	3_2_00254E6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, edx	3_2_00254E6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	3_2_002586C4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	3_2_002586C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_002397D0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: benchillppwo.shop
Source: Malware configuration extractor	URLs: publicitttyps.shop
Source: Malware configuration extractor	URLs: answerrsdo.shop
Source: Malware configuration extractor	URLs: radiationnopp.shop
Source: Malware configuration extractor	URLs: affecthorsedpo.shop
Source: Malware configuration extractor	URLs: bargainnykwo.shop
Source: Malware configuration extractor	URLs: bannngwko.shop
Source: Malware configuration extractor	URLs: bouncedgowp.shop
Source: Malware configuration extractor	URLs: citizencenturygoodwk.shop

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12863Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15109Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19967Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7100Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1264Host: citizencenturygoodwk.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584888Host: citizencenturygoodwk.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: citizencenturygoodwk.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: citizencenturygoodwk.shop

Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000003.00000003.2250701299.0000000004B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/.
Source: BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/4Y
Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279500194.0000000002896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/api
Source: BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/api9(
Source: BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2300807361.000000000288C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/api=/
Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/apiP
Source: BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/apiU6
Source: BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002871000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/apiX
Source: BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2300807361.000000000288C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/apie6-
Source: BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/ez
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.000000000288C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop/z
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop:443/api
Source: BitLockerToGo.exe, 00000003.00000002.2328165604.00000000027E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citizencenturygoodwk.shop:443/apiK
Source: BitLockerToGo.exe, 00000003.00000003.2252075967.0000000004A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000003.00000003.2228157227.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BitLockerToGo.exe, 00000003.00000003.2252075967.0000000004A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 6xmBUtHylU.exe	String found in binary or memory: https://login.chinacloudapi.cn/http2:
Source: 6xmBUtHylU.exe	String found in binary or memory: https://login.microsoftonline.com/stream
Source: 6xmBUtHylU.exe	String found in binary or memory: https://management.azure.cominvalid
Source: 6xmBUtHylU.exe	String found in binary or memory: https://management.chinacloudapi.cnCONTINUATION
Source: 6xmBUtHylU.exe	String found in binary or memory: https://management.core.chinacloudapi.cnFrame
Source: 6xmBUtHylU.exe	String found in binary or memory: https://management.core.usgovcloudapi.nethttp2:
Source: 6xmBUtHylU.exe	String found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/
Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000003.00000003.2251991909.0000000004AA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: BitLockerToGo.exe, 00000003.00000003.2251991909.0000000004AA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BitLockerToGo.exe, 00000003.00000003.2251568251.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0025E4A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0025E4A0

Contains functionality to read the clipboard data

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0025E4A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0025E4A0

Contains functionality to record screenshots

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0025E680 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_0025E680

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2208741125.000000C000374000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Detected potential crypto function

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0024E880	3_2_0024E880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00251910	3_2_00251910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00245C00	3_2_00245C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00234C50	3_2_00234C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0024662A	3_2_0024662A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00250FBC	3_2_00250FBC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00231072	3_2_00231072
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00233850	3_2_00233850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00252052	3_2_00252052
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00238130	3_2_00238130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00253142	3_2_00253142
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_002699C0	3_2_002699C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0026B270	3_2_0026B270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00234240	3_2_00234240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00236A40	3_2_00236A40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0026FACD	3_2_0026FACD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0023F300	3_2_0023F300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0024DBEE	3_2_0024DBEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00259BC7	3_2_00259BC7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00255BD0	3_2_00255BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00236470	3_2_00236470
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00252C9D	3_2_00252C9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00269CE0	3_2_00269CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00262CC0	3_2_00262CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0025AD4D	3_2_0025AD4D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0026B5C0	3_2_0026B5C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00231E20	3_2_00231E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00254E6B	3_2_00254E6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0024FFB0	3_2_0024FFB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00265F90	3_2_00265F90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_002537FE	3_2_002537FE

Found potential string decryption / allocating functions

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00239280 appears 122 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00238B80 appears 43 times

PE file contains more sections than normal

Source: 6xmBUtHylU.exe

Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: 6xmBUtHylU.exe, 00000000.00000003.2193938229.00000245F7550000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 6xmBUtHylU.exe
Source: 6xmBUtHylU.exe, 00000000.00000003.2195259181.000000C0004DA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 6xmBUtHylU.exe
Source: 6xmBUtHylU.exe, 00000000.00000000.2101657583.00007FF67F84F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBlancco File.exeDVarFileInfo$ vs 6xmBUtHylU.exe
Source: 6xmBUtHylU.exe, 00000000.00000003.2193969767.00000245F7510000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 6xmBUtHylU.exe
Source: 6xmBUtHylU.exe	Binary or memory string: OriginalFilenameBlancco File.exeDVarFileInfo$ vs 6xmBUtHylU.exe

Yara signature match

Source: 00000000.00000002.2208741125.000000C000374000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0025E089 CoCreateInstance,

3_2_0025E089

Source: C:\Users\user\Desktop\6xmBUtHylU.exe

File created: C:\Users\Public\Libraries\fbnae.scif

Source: 6xmBUtHylU.exe	String found in binary or memory: etlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntim
Source: 6xmBUtHylU.exe	String found in binary or memory: etlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntim
Source: 6xmBUtHylU.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
Source: 6xmBUtHylU.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
Source: 6xmBUtHylU.exe	String found in binary or memory: failed to construct HKDF label: %sinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizereflect.MakeSlice of non-slice typecrypto/md5: invalid hash state size2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativehttps://management.chinacloudapi.cnCONTINUATION frame with stream ID 0too many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitychacha20: output smaller than inputcrypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportaccessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: 6xmBUtHylU.exe	String found in binary or memory: failed to construct HKDF label: %sinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizereflect.MakeSlice of non-slice typecrypto/md5: invalid hash state size2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativehttps://management.chinacloudapi.cnCONTINUATION frame with stream ID 0too many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitychacha20: output smaller than inputcrypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportaccessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: 6xmBUtHylU.exe	String found in binary or memory: net/addrselect.go
Source: 6xmBUtHylU.exe	String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\6xmBUtHylU.exe "C:\Users\user\Desktop\6xmBUtHylU.exe"
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 6xmBUtHylU.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x277000
Source: 6xmBUtHylU.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x349800

Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2217427604.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.00000000027E8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2328165604.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2238156888.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2265630337.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2250362177.0000000002831000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 6xmBUtHylU.exe, 00000000.00000002.2209285482.00000245B1FC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: BitLockerToGo.exe, 00000003.00000003.2238574332.0000000004A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: benchillppwo.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: publicitttyps.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: answerrsdo.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: radiationnopp.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: affecthorsedpo.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bargainnykwo.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bannngwko.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bouncedgowp.shop
Source: 6xmBUtHylU.exe, 00000000.00000002.2208741125.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: citizencenturygoodwk.shop

Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 230000			Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 24B7008			Jump to behavior

Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6xmBUtHylU.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3800, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletD
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: BitLockerToGo.exe, 00000003.00000003.2290216843.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000003.00000003.2227392089.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2279134881.0000000002884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2279475230.0000000002886000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2227392089.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2265630337.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2250362177.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2265630337.0000000002831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2238156888.0000000002885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2250362177.0000000002831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2279583257.000000000283E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2279134881.0000000002831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3800, type: MEMORYSTR

Name	Malicious	Antivirus Detection	Reputation
radiationnopp.shop	true	Avira URL Cloud: safe	unknown
publicitttyps.shop	true	Avira URL Cloud: safe	unknown
answerrsdo.shop	true	Avira URL Cloud: safe	unknown
citizencenturygoodwk.shop	true	Avira URL Cloud: safe	unknown
benchillppwo.shop	true	Avira URL Cloud: safe	unknown
bargainnykwo.shop	true	Avira URL Cloud: safe	unknown
bouncedgowp.shop	true	Avira URL Cloud: safe	unknown
https://citizencenturygoodwk.shop/api	true	Avira URL Cloud: malware	unknown
bannngwko.shop	true	Avira URL Cloud: safe	unknown
affecthorsedpo.shop	true	Avira URL Cloud: safe	unknown

ID:	1467945
Product:	CloudBasic
Start time:	06:02:09
Start date:	05.07.2024
Sample:	6xmBUtHylU.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b82c80a3ce9b5c44391d3f11307f8b8e
SHA1:	7480059bc051383eaaf0d83b7f39d7c4989e4dea
SHA256:	ce9b5ec3693188ed91e363e55286cd212f44912b042bd83a924af2f43daaa55f
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report 6xmBUtHylU.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
6xmBUtHylU.exe

Malware Threat Intel
Provided by