Windows Analysis Report
Botkiller.exe

Overview

General Information

Sample name: Botkiller.exe
Analysis ID: 1477924
MD5: a668cb93c16026b6ee15b96dbd13d64f
SHA1: 878b50a51f28a78ab4350d0c8b327c8172301de6
SHA256: 1adf26633c17278c9b930529b164637a8942cbb1f3267afafec63b56de51dd96
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Disables zone checking for all users
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious desktop.ini Action
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Botkiller.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Njrat {"Host": "45.83.207.67", "Port": "6522Z", "Version": "0.7.3", "Campaign ID": "Lime", "Install Name": "Botkiller.exe", "Install Dir": "AppData"}
Multi AV Scanner detection for domain / URL
Source: 45.83.207.67 Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Botkiller.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Virustotal: Detection: 72% Perma Link
Multi AV Scanner detection for submitted file
Source: Botkiller.exe ReversingLabs: Detection: 78%
Source: Botkiller.exe Virustotal: Detection: 72% Perma Link
Yara detected Njrat
Source: Yara match File source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 6748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 3444, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Botkiller.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Botkiller.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Botkiller.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Botkiller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52550 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52553 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52554 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52555 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52556 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52557 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52558 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52559 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52560 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52561 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52562 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52563 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52564 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52565 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52566 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52567 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52568 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52569 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52570 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52571 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52572 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52573 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52574 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52575 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52576 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52577 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52578 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52579 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52580 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52581 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52582 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52583 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52584 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52585 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52586 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52587 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52588 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52589 -> 45.83.207.67:6522
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:52590 -> 45.83.207.67:6522
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.83.207.67
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:52550 -> 45.83.207.67:6522
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUVIDERClouvider-GlobalASNGB CLOUVIDERClouvider-GlobalASNGB
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: unknown TCP traffic detected without corresponding DNS query: 45.83.207.67
Source: Botkiller.exe, 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Watch this video to learn how to pay us https://www.youtube.com/watch?v=Ji9IwPId5UkPThis is not a joke. This is a ransomware|Ransomware: Couldn't send address. The stub has no BTC address$Installed Wallet: equals www.youtube.com (Youtube)
Source: Botkiller.exe, 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/watch?v=Ji9IwPId5UkPThis

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 6748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 3444, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_0106A7E6 NtQuerySystemInformation, 0_2_0106A7E6
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_0106A7AD NtQuerySystemInformation, 0_2_0106A7AD
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_00EEA7E6 NtQuerySystemInformation, 8_2_00EEA7E6
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_00EEA7AD NtQuerySystemInformation, 8_2_00EEA7AD
Detected potential crypto function
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_05220080 0_2_05220080
Sample file is different than original file name gathered from version info
Source: Botkiller.exe, 00000000.00000002.1945840318.000000000107E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs Botkiller.exe
Source: Botkiller.exe, 00000008.00000002.4195922298.000000000091E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs Botkiller.exe
Uses 32bit PE files
Source: Botkiller.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Botkiller.exe, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: Botkiller.exe, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: Botkiller.exe, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: Botkiller.exe, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, ncnGZNwPfpCJUeCmtj.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.phis.troj.evad.winEXE@15/2@0/1
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_0106B342 AdjustTokenPrivileges, 0_2_0106B342
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_0106B30B AdjustTokenPrivileges, 0_2_0106B30B
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_00EEB342 AdjustTokenPrivileges, 8_2_00EEB342
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_00EEB30B AdjustTokenPrivileges, 8_2_00EEB30B
Source: C:\Users\user\Desktop\Botkiller.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Mutant created: \Sessions\1\BaseNamedObjects\Botkiller.exe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
Source: Botkiller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Botkiller.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")
Source: C:\Users\user\Desktop\Botkiller.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: taskkill.exe, 0000000A.00000002.1954368485.0000000000A78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")\Program;;
Source: Botkiller.exe ReversingLabs: Detection: 78%
Source: Botkiller.exe Virustotal: Detection: 72%
Source: C:\Users\user\Desktop\Botkiller.exe File read: C:\Users\user\Desktop\Botkiller.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Botkiller.exe "C:\Users\user\Desktop\Botkiller.exe"
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM wscript.exe
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM cmd.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Users\user\AppData\Roaming\Botkiller.exe "C:\Users\user\AppData\Roaming\Botkiller.exe"
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM wscript.exe
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM cmd.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM wscript.exe Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM cmd.exe Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Users\user\AppData\Roaming\Botkiller.exe "C:\Users\user\AppData\Roaming\Botkiller.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM wscript.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM cmd.exe Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: Botkiller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\Botkiller.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Botkiller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: Botkiller.exe, ncnGZNwPfpCJUeCmtj.cs .Net Code: Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777255)),Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777250))})
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, ncnGZNwPfpCJUeCmtj.cs .Net Code: Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777255)),Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777250))})
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, ncnGZNwPfpCJUeCmtj.cs .Net Code: Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777255)),Type.GetTypeFromHandle(yGOIsMyETAuFG166ow.YxJnJ6CyUktBA(16777250))})
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_05383719 push esp; iretd 0_2_0538371A
Source: C:\Users\user\Desktop\Botkiller.exe Code function: 0_2_053831B0 push cs; iretd 0_2_053831CA
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_00EF3802 push ebp; ret 8_2_00EF380D
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_04D97200 push eax; iretd 8_2_04D97201
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_04D931B0 push cs; iretd 8_2_04D931CA
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Code function: 8_2_04D93719 push esp; iretd 8_2_04D9371A
Source: Botkiller.exe, NhreygcXXMdvaRRkkA.cs High entropy of concatenated method names: 'caU8Ovu5r', 'GoH3ih4m3', 'btx4IqAmJ', 'oQ6OfxtT9', 'a7eDtX4dg', 'z6E2AIDLe', 'ENIwnoG4a', 'I0h7AoUoi', 'jcUfRFSND', 'oket1Tbqq'
Source: Botkiller.exe, ncnGZNwPfpCJUeCmtj.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'KGjVvHpp9v', 'mnbnJ69ChIq1J', 'A1mI1DgWD0', 'dhuIeARhF2', 'z9cIlnNWdG', 'VMmIF1vng3', 'SFrIB2JvG0', 'HmJICJSbbA', 'hgUIh7UZqZ'
Source: Botkiller.exe, e8EidKugxv0oT3hZhb.cs High entropy of concatenated method names: 'Vrgdckc51m', 'U9Jdzoj1kS', 'UMWdjcoVRr', 'Y6MdvAyt9w', 'McgdalcYnR', 'acPdTBKJ6Z', 'MGjdRSRahY', 'ln0dgQ9rek', 'taAd5VfRjb', 'l5EduTZLXD'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, NhreygcXXMdvaRRkkA.cs High entropy of concatenated method names: 'caU8Ovu5r', 'GoH3ih4m3', 'btx4IqAmJ', 'oQ6OfxtT9', 'a7eDtX4dg', 'z6E2AIDLe', 'ENIwnoG4a', 'I0h7AoUoi', 'jcUfRFSND', 'oket1Tbqq'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, ncnGZNwPfpCJUeCmtj.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'KGjVvHpp9v', 'mnbnJ69ChIq1J', 'A1mI1DgWD0', 'dhuIeARhF2', 'z9cIlnNWdG', 'VMmIF1vng3', 'SFrIB2JvG0', 'HmJICJSbbA', 'hgUIh7UZqZ'
Source: 0.2.Botkiller.exe.4076df0.1.raw.unpack, e8EidKugxv0oT3hZhb.cs High entropy of concatenated method names: 'Vrgdckc51m', 'U9Jdzoj1kS', 'UMWdjcoVRr', 'Y6MdvAyt9w', 'McgdalcYnR', 'acPdTBKJ6Z', 'MGjdRSRahY', 'ln0dgQ9rek', 'taAd5VfRjb', 'l5EduTZLXD'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, NhreygcXXMdvaRRkkA.cs High entropy of concatenated method names: 'caU8Ovu5r', 'GoH3ih4m3', 'btx4IqAmJ', 'oQ6OfxtT9', 'a7eDtX4dg', 'z6E2AIDLe', 'ENIwnoG4a', 'I0h7AoUoi', 'jcUfRFSND', 'oket1Tbqq'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, ncnGZNwPfpCJUeCmtj.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'KGjVvHpp9v', 'mnbnJ69ChIq1J', 'A1mI1DgWD0', 'dhuIeARhF2', 'z9cIlnNWdG', 'VMmIF1vng3', 'SFrIB2JvG0', 'HmJICJSbbA', 'hgUIh7UZqZ'
Source: 0.2.Botkiller.exe.4101e60.0.raw.unpack, e8EidKugxv0oT3hZhb.cs High entropy of concatenated method names: 'Vrgdckc51m', 'U9Jdzoj1kS', 'UMWdjcoVRr', 'Y6MdvAyt9w', 'McgdalcYnR', 'acPdTBKJ6Z', 'MGjdRSRahY', 'ln0dgQ9rek', 'taAd5VfRjb', 'l5EduTZLXD'
Drops PE files
Source: C:\Users\user\Desktop\Botkiller.exe File created: C:\Users\user\AppData\Roaming\Botkiller.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Botkiller.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Botkiller.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Botkiller.exe Memory allocated: 1300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Memory allocated: 3070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Memory allocated: 5070000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Memory allocated: 2A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Memory allocated: 2A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Memory allocated: 4A00000 memory commit | memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Botkiller.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Botkiller.exe Window / User API: threadDelayed 960 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Window / User API: threadDelayed 950 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Window / User API: threadDelayed 1238 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Window / User API: threadDelayed 3807 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Window / User API: threadDelayed 3461 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Window / User API: foregroundWindowGot 1760 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Botkiller.exe TID: 5180 Thread sleep count: 960 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe TID: 3164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe TID: 5428 Thread sleep count: 950 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe TID: 5428 Thread sleep count: 1238 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe TID: 5428 Thread sleep time: -1238000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe TID: 2108 Thread sleep count: 3807 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe TID: 5428 Thread sleep count: 3461 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe TID: 5428 Thread sleep time: -3461000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Botkiller.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Botkiller.exe, 00000008.00000002.4195922298.000000000091E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx9g
Source: Botkiller.exe, 00000000.00000002.1945840318.00000000010FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:`
Source: Botkiller.exe, 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxServicevAntiProcess: VirtrualBox was detected! Reconnect after 5min"Sandboxie Control\AntiProcess: Sandboxie was detected and killed
Source: Botkiller.exe, 00000008.00000002.4195922298.000000000091E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Botkiller.exe, 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VGAuthServicelAntiProcess: VMware was detected! Reconnect after 5min
Source: C:\Users\user\Desktop\Botkiller.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Botkiller.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Users\user\AppData\Roaming\Botkiller.exe "C:\Users\user\AppData\Roaming\Botkiller.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM wscript.exe Jump to behavior
Source: C:\Users\user\Desktop\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM wscript.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM cmd.exe Jump to behavior
Source: Botkiller.exe, 00000008.00000002.4199453266.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4199453266.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: Botkiller.exe, 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Shell_traywnd~TaskManagerDisbale: Lime's Stub is not running as administrator
Source: Botkiller.exe, 00000008.00000002.4199453266.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4199453266.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@9
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\AppData\Roaming\Botkiller.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Botkiller.exe, 00000008.00000002.4196294982.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4195922298.00000000009D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r\MsMpeng.exe
Source: Botkiller.exe, 00000008.00000002.4196294982.00000000009E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: Botkiller.exe, 00000008.00000002.4196294982.00000000009E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rogramFiles%\Windows Defender\MsMpeng.exe
Source: Botkiller.exe, 00000008.00000002.4197295194.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4197495555.0000000000AED000.00000004.00000020.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4195922298.000000000091E000.00000004.00000020.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4196294982.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4195922298.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Botkiller.exe, 00000008.00000002.4196294982.00000000009F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Botkiller.exe, 00000008.00000002.4196294982.00000000009E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Botkiller.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 6748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 3444, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 00000008.00000002.4199453266.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1947714950.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 6748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Botkiller.exe PID: 3444, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1477924 Sample: Botkiller.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 8 other signatures 2->43 8 Botkiller.exe 1 6 2->8         started        process3 file4 31 C:\Users\user\AppData\Roaming\Botkiller.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\Botkiller.exe.log, ASCII 8->33 dropped 11 Botkiller.exe 2 5 8->11         started        15 taskkill.exe 1 8->15         started        17 taskkill.exe 1 8->17         started        process5 dnsIp6 35 45.83.207.67, 52550, 52553, 52554 CLOUVIDERClouvider-GlobalASNGB Netherlands 11->35 45 Antivirus detection for dropped file 11->45 47 Multi AV Scanner detection for dropped file 11->47 49 Machine Learning detection for dropped file 11->49 51 2 other signatures 11->51 19 taskkill.exe 1 11->19         started        21 taskkill.exe 1 11->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        signatures7 process8 process9 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.83.207.67
 unknown Netherlands
62240 CLOUVIDERClouvider-GlobalASNGB true

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.83.207.67 true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown