Source: LisectAVT_2403002A_262.exe |
ReversingLabs: Detection: 55% |
Source: LisectAVT_2403002A_262.exe |
Virustotal: Detection: 60% |
Perma Link |
Source: LisectAVT_2403002A_262.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.190 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.190 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.190 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.190 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.190 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002CE0A0 recv,setsockopt,setsockopt,connect,setsockopt, |
0_2_002CE0A0 |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.winimage.com/zLibDll |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT |
Source: LisectAVT_2403002A_262.exe |
Static PE information: section name: .vmp$PH |
Source: LisectAVT_2403002A_262.exe |
Static PE information: section name: .vmp$PH |
Source: LisectAVT_2403002A_262.exe |
Static PE information: section name: .vmp$PH |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003340A0 |
0_2_003340A0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033E0F0 |
0_2_0033E0F0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002BE150 |
0_2_002BE150 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00306270 |
0_2_00306270 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003AE264 |
0_2_003AE264 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003A8314 |
0_2_003A8314 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033E300 |
0_2_0033E300 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0037E300 |
0_2_0037E300 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00338370 |
0_2_00338370 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003B0413 |
0_2_003B0413 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002DC470 |
0_2_002DC470 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00324450 |
0_2_00324450 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002B24F0 |
0_2_002B24F0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003104D0 |
0_2_003104D0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0037C580 |
0_2_0037C580 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00366630 |
0_2_00366630 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00334610 |
0_2_00334610 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0039A65D |
0_2_0039A65D |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0036C770 |
0_2_0036C770 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0049885E |
0_2_0049885E |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033A840 |
0_2_0033A840 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002D88A0 |
0_2_002D88A0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002FA900 |
0_2_002FA900 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0039A99F |
0_2_0039A99F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00332A70 |
0_2_00332A70 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002DEA60 |
0_2_002DEA60 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00370A90 |
0_2_00370A90 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002D4AD0 |
0_2_002D4AD0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033CC30 |
0_2_0033CC30 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002DAE30 |
0_2_002DAE30 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00344EE0 |
0_2_00344EE0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00394F58 |
0_2_00394F58 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00396F90 |
0_2_00396F90 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033CF80 |
0_2_0033CF80 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0034B000 |
0_2_0034B000 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00335040 |
0_2_00335040 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033F110 |
0_2_0033F110 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00341110 |
0_2_00341110 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00337100 |
0_2_00337100 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002F3160 |
0_2_002F3160 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002E11D0 |
0_2_002E11D0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002FF280 |
0_2_002FF280 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002D3330 |
0_2_002D3330 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003453D0 |
0_2_003453D0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0046B450 |
0_2_0046B450 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0033D400 |
0_2_0033D400 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00385470 |
0_2_00385470 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00381450 |
0_2_00381450 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002EB480 |
0_2_002EB480 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003356F0 |
0_2_003356F0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003417F0 |
0_2_003417F0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002E77E0 |
0_2_002E77E0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002E58A0 |
0_2_002E58A0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0038B900 |
0_2_0038B900 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: String function: 0038E9C0 appears 34 times |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: String function: 00340F50 appears 87 times |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: String function: 002B2AE0 appears 58 times |
|
Source: LisectAVT_2403002A_262.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/0@0/1 |
Source: LisectAVT_2403002A_262.exe, LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: LisectAVT_2403002A_262.exe |
ReversingLabs: Detection: 55% |
Source: LisectAVT_2403002A_262.exe |
Virustotal: Detection: 60% |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: LisectAVT_2403002A_262.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: LisectAVT_2403002A_262.exe |
Static file information: File size 2956293 > 1048576 |
Source: LisectAVT_2403002A_262.exe |
Static PE information: Raw size of .vmp$PH is bigger than: 0x100000 < 0x2ce800 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002EB480 SHGetFolderPathA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_002EB480 |
Source: LisectAVT_2403002A_262.exe |
Static PE information: real checksum: 0x2deb24 should be: 0x2deb29 |
Source: LisectAVT_2403002A_262.exe |
Static PE information: section name: .vmp$PH |
Source: LisectAVT_2403002A_262.exe |
Static PE information: section name: .vmp$PH |
Source: LisectAVT_2403002A_262.exe |
Static PE information: section name: .vmp$PH |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0042A0AB push ss; iretd |
0_2_0042A0EA |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_004C2120 pushad ; iretd |
0_2_004C2191 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0038E588 push ecx; ret |
0_2_0038E59B |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_0041E97D push 7396A22Dh; iretd |
0_2_0041E999 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_004DA980 push ebx; retf |
0_2_004F2F2A |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_004DCA60 push ebx; retf |
0_2_004DCA6A |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_004ECB3C push esp; retf 237Dh |
0_2_004ECB5F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_004BF1AD push ecx; ret |
0_2_004BF1C9 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_003340A0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_003340A0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Sandbox detection routine: GetCursorPos, DecisionNode, Sleep |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Evasive API call chain: GetPEB, DecisionNodes, Sleep |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 52EEF2 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 51EB62 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 521493 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 5AC5DF |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 563ADB |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 55A082 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
API/Special instruction interceptor: Address: 617C84 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, |
0_2_00312530 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220 |
Thread sleep count: 3118 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220 |
Thread sleep time: -314918s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 3060 |
Thread sleep count: 303 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220 |
Thread sleep count: 5366 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220 |
Thread sleep time: -541966s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Last function: Thread delayed |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105722473.00000000010FC000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}544 |
Source: LisectAVT_2403002A_262.exe, 00000000.00000003.1670745035.00000000014D7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014DF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C88909DA |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg |
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Process Stats: CPU usage > 42% for more than 60s |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002EB480 SHGetFolderPathA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_002EB480 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00312530 mov eax, dword ptr fs:[00000030h] |
0_2_00312530 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_00312530 mov eax, dword ptr fs:[00000030h] |
0_2_00312530 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Code function: 0_2_002C4100 mov eax, dword ptr fs:[00000030h] |
0_2_002C4100 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |