Windows Analysis Report
dZIZhRHDXv.exe

Overview

General Information

Sample name: dZIZhRHDXv.exe
renamed because original name is a hash value
Original sample name: e5a12459a39aa142a12c58d9afbe5b0d.exe
Analysis ID: 1543219
MD5: e5a12459a39aa142a12c58d9afbe5b0d
SHA1: bebd558572194c56815a2fbaf016d1d4d0922ed3
SHA256: a45e9fae49d4af114a252f3cd5b69f33cb5994915a75cb51983910c9f21d81e5
Tags: exeuser-abuse_ch
Infos:

Detection

RHADAMANTHYS
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.1757931236.0000000002880000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://138.201.226.224:9292/bcacc1e7778c536b694/6wlh52ro.x0plp"}
Multi AV Scanner detection for submitted file
Source: dZIZhRHDXv.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: dZIZhRHDXv.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: dZIZhRHDXv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wkernel32.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1793076231.0000000002A90000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793169848.00000000040B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796451170.0000000003460000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796547390.0000000005580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793351393.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796910103.0000000005720000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1792273411.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792472803.0000000004220000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795816573.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795591609.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1792713277.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792865220.00000000041D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796048912.0000000005500000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796213656.00000000056A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1792273411.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792472803.0000000004220000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795816573.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795591609.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1792713277.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792865220.00000000041D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796048912.0000000005500000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796213656.00000000056A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: E:\cpp\Notepad3\Bin\Release_x86_v143\minipath.pdb source: dZIZhRHDXv.exe
Source: Binary string: wkernel32.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1793076231.0000000002A90000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793169848.00000000040B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796451170.0000000003460000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796547390.0000000005580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793351393.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796910103.0000000005720000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E4CEA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00E4CEA5

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://138.201.226.224:9292/bcacc1e7778c536b694/6wlh52ro.x0plp
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 138.201.226.224:9292
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: unknown TCP traffic detected without corresponding DNS query: 138.201.226.224
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057C9F64 memset,memset,WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject, 1_2_057C9F64
Source: dialer.exe, 00000001.00000002.3000230789.000000000303C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://138.201.226.224:9292/bcacc1e7778c536b694/6wlh52ro.x0plp
Source: dZIZhRHDXv.exe String found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
Source: dZIZhRHDXv.exe String found in binary or memory: https://www.rizonesoft.com
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E02050 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,LdrInitializeThunk,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_00E02050
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E02050 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,LdrInitializeThunk,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_00E02050
Creates a DirectInput object (often for capturing keystrokes)
Source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_cd5390ae-4
Installs a raw input device (often for capturing keystrokes)
Source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_c3e6f367-8
Yara detected Keylogger Generic
Source: Yara match File source: 0.3.dZIZhRHDXv.exe.4250000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.dialer.exe.5720000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dZIZhRHDXv.exe.4030000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dZIZhRHDXv.exe.4250000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.dialer.exe.5500000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1796910103.0000000005720000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1793351393.0000000004030000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dZIZhRHDXv.exe PID: 7624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dialer.exe PID: 7684, type: MEMORYSTR
Detected potential crypto function
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02902F40 0_3_02902F40
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02902640 0_3_02902640
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02901A40 0_3_02901A40
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02901FA0 0_3_02901FA0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02901710 0_3_02901710
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DEA0B0 0_2_00DEA0B0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DFEFB0 0_2_00DFEFB0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E1A080 0_2_00E1A080
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E30020 0_2_00E30020
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E3037E 0_2_00E3037E
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E306EB 0_2_00E306EB
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E1A620 0_2_00E1A620
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E009E0 0_2_00E009E0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E5690C 0_2_00E5690C
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E1AA70 0_2_00E1AA70
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E30A49 0_2_00E30A49
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E2EC1F 0_2_00E2EC1F
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E30E3D 0_2_00E30E3D
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E2EF61 0_2_00E2EF61
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E2F2B2 0_2_00E2F2B2
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E31240 0_2_00E31240
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E5F21D 0_2_00E5F21D
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E173E0 0_2_00E173E0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E554EF 0_2_00E554EF
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E2F5F4 0_2_00E2F5F4
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D83987 0_2_00D83987
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E2F953 0_2_00E2F953
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E2FCC1 0_2_00E2FCC1
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E0DFC9 0_2_00E0DFC9
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E17F77 0_2_00E17F77
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057D3573 1_2_057D3573
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E3524 1_2_057E3524
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057DC458 1_2_057DC458
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057DBC11 1_2_057DBC11
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E2CBD 1_2_057E2CBD
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057CD73D 1_2_057CD73D
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E2721 1_2_057E2721
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057DC7EB 1_2_057DC7EB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E7FA2 1_2_057E7FA2
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E3F8C 1_2_057E3F8C
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057C8653 1_2_057C8653
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E2009 1_2_057E2009
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057D38DB 1_2_057D38DB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057C834D 1_2_057C834D
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E3BC5 1_2_057E3BC5
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E5BA4 1_2_057E5BA4
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E22B4 1_2_057E22B4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: String function: 00E09F70 appears 52 times
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: String function: 00E49B2C appears 34 times
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: String function: 00D9C0C3 appears 111 times
One or more processes crash
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 708
Sample file is different than original file name gathered from version info
Source: dZIZhRHDXv.exe, 00000000.00000003.1792273411.00000000041A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1794274856.0000000002986000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlashDevelop.exe vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1792865220.00000000042FD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1793076231.0000000002A90000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000000.1757297443.0000000000E82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004431000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1793351393.0000000004030000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1757931236.0000000002880000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlashDevelop.exe vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1792472803.00000000043A6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1793076231.0000000002B22000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1793169848.00000000040B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1792713277.0000000004153000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe, 00000000.00000003.1793169848.0000000004100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs dZIZhRHDXv.exe
Source: dZIZhRHDXv.exe Binary or memory string: OriginalFilenameminipath.exeD vs dZIZhRHDXv.exe
Uses 32bit PE files
Source: dZIZhRHDXv.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal80.troj.evad.winEXE@5/0@0/1
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DF86E0 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree, 0_2_00DF86E0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DFB810 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW, 0_2_00DFB810
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DFD1D0 FindResourceW,LoadResource,LockResource,SizeofResource,LocalAlloc,FreeResource,lstrlenW,lstrlenW,FreeResource, 0_2_00DFD1D0
Source: C:\Windows\SysWOW64\dialer.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\302c6948-e75b-4b17-9040-ca23feb115ae Jump to behavior
Source: dZIZhRHDXv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dZIZhRHDXv.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\dZIZhRHDXv.exe "C:\Users\user\Desktop\dZIZhRHDXv.exe"
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 708
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 704
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: tapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: dZIZhRHDXv.exe Static file information: File size 1374208 > 1048576
Source: dZIZhRHDXv.exe Static PE information: section name: RT_CURSOR
Source: dZIZhRHDXv.exe Static PE information: section name: RT_BITMAP
Source: dZIZhRHDXv.exe Static PE information: section name: RT_ICON
Source: dZIZhRHDXv.exe Static PE information: section name: RT_MENU
Source: dZIZhRHDXv.exe Static PE information: section name: RT_DIALOG
Source: dZIZhRHDXv.exe Static PE information: section name: RT_STRING
Source: dZIZhRHDXv.exe Static PE information: section name: RT_ACCELERATOR
Source: dZIZhRHDXv.exe Static PE information: section name: RT_GROUP_ICON
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dZIZhRHDXv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dZIZhRHDXv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1793076231.0000000002A90000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793169848.00000000040B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796451170.0000000003460000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796547390.0000000005580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793351393.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796910103.0000000005720000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1792273411.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792472803.0000000004220000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795816573.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795591609.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1792713277.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792865220.00000000041D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796048912.0000000005500000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796213656.00000000056A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1792273411.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792472803.0000000004220000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795816573.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1795591609.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dZIZhRHDXv.exe, 00000000.00000003.1792713277.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1792865220.00000000041D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796048912.0000000005500000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796213656.00000000056A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: E:\cpp\Notepad3\Bin\Release_x86_v143\minipath.pdb source: dZIZhRHDXv.exe
Source: Binary string: wkernel32.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1793076231.0000000002A90000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793169848.00000000040B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796451170.0000000003460000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796547390.0000000005580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: dZIZhRHDXv.exe, 00000000.00000003.1793547768.0000000004250000.00000004.00000001.00020000.00000000.sdmp, dZIZhRHDXv.exe, 00000000.00000003.1793351393.0000000004030000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796910103.0000000005720000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp
Source: dZIZhRHDXv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dZIZhRHDXv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dZIZhRHDXv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dZIZhRHDXv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dZIZhRHDXv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E009E0 SendMessageW,LoadLibraryW,GetProcAddress,FreeLibrary,CreateWindowExW,SendMessageW,LoadImageW,CopyImage,GetObjectW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetSysColor,ImageList_Create,ImageList_AddMasked,DeleteObject,SendMessageW,GetObjectW,ImageList_Create,ImageList_AddMasked,DeleteObject,SendMessageW,GetObjectW,ImageList_Create,ImageList_AddMasked,DeleteObject,SendMessageW,GetSysColor,GetObjectW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetObjectW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetSysColor,ImageList_Create,ImageList_AddMasked,SendMessageW,DeleteObject,wsprintfW,lstrcmpiW,lstrcmpiW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SystemParametersInfoW,SystemParametersInfoW,CreateWindowExW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,SystemParametersInfoW,SendMessageW,SystemParametersInfoW,GetSysColor,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,SystemParametersInfoW,SystemParametersInfoW,GetSysColor,SendMessageW,SetWindowPos,GetWindowRect,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW, 0_2_00E009E0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02914285 push F693B671h; retf 0_3_0291428A
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02913AF4 pushad ; retf 0_3_02913B03
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02914F48 push es; ret 0_3_02914F49
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02910F4E push eax; retf 0_3_02910F4F
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02913DCE push edi; iretd 0_3_02913DD5
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_0291212F pushad ; ret 0_3_02912137
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_0291457C push esi; ret 0_3_02914580
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_0291216F push ecx; iretd 0_3_0291217B
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D861D5 push 9D679010h; ret 0_2_00D861EE
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D861EF push 9D679010h; ret 0_2_00D861EE
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E605E7 push ecx; ret 0_2_00E605FA
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D84A01 push ebx; retf 0_2_00D84A14
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D8546E push cs; ret 0_2_00D854B8
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D83400 push ebp; retf 0_2_00D83406
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D8383E push ebx; iretd 0_2_00D83840
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00D83901 push ebx; iretd 0_2_00D83983
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_03074305 push F693B671h; retf 1_3_0307430A
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_03073B74 pushad ; retf 1_3_03073B83
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_030721AF pushad ; ret 1_3_030721B7
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_03070FCE push eax; retf 1_3_03070FCF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_03074FC8 push es; ret 1_3_03074FC9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_030721EF push ecx; iretd 1_3_030721FB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_030745FC push esi; ret 1_3_03074600
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_03073E4E push edi; iretd 1_3_03073E55
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_03075CD2 push dword ptr [edx+ebp+3Bh]; retf 1_3_03075CDF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057E98F0 push eax; ret 1_2_057E991E
Source: dZIZhRHDXv.exe Static PE information: section name: .text entropy: 7.308659196103948
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E06140 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW, 0_2_00E06140
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DFEFB0 DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups, 0_2_00DFEFB0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E066D0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree, 0_2_00E066D0
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\dialer.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\dialer.exe API/Special instruction interceptor: Address: 57F483A
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EXEWINDANR.EXE
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDANR.EXE
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe API coverage: 6.4 %
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E4CEA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00E4CEA5
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E0874A VirtualQuery,GetSystemInfo, 0_2_00E0874A
Source: dialer.exe, 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: dialer.exe, 00000001.00000002.3000293279.00000000032D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: dialer.exe, 00000001.00000003.1796719456.0000000005500000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_029102CC VirtualAlloc,VirtualAlloc,VirtualProtect,LdrInitializeThunk,VirtualFree, 0_3_029102CC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E503BC IsDebuggerPresent,OutputDebugStringW, 0_2_00E503BC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E009E0 SendMessageW,LoadLibraryW,GetProcAddress,FreeLibrary,CreateWindowExW,SendMessageW,LoadImageW,CopyImage,GetObjectW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetSysColor,ImageList_Create,ImageList_AddMasked,DeleteObject,SendMessageW,GetObjectW,ImageList_Create,ImageList_AddMasked,DeleteObject,SendMessageW,GetObjectW,ImageList_Create,ImageList_AddMasked,DeleteObject,SendMessageW,GetSysColor,GetObjectW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetObjectW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetSysColor,ImageList_Create,ImageList_AddMasked,SendMessageW,DeleteObject,wsprintfW,lstrcmpiW,lstrcmpiW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SystemParametersInfoW,SystemParametersInfoW,CreateWindowExW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,SystemParametersInfoW,SendMessageW,SystemParametersInfoW,GetSysColor,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,SystemParametersInfoW,SystemParametersInfoW,GetSysColor,SendMessageW,SetWindowPos,GetWindowRect,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW, 0_2_00E009E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_3_02910277 mov eax, dword ptr fs:[00000030h] 0_3_02910277
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_3_0307027F mov eax, dword ptr fs:[00000030h] 1_3_0307027F
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E0934F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E0934F
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E377CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E377CE
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E09D68 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E09D68
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: dZIZhRHDXv.exe, 00000000.00000002.1798431879.0000000000E65000.00000002.00000001.01000000.00000003.sdmp, dZIZhRHDXv.exe, 00000000.00000000.1757261691.0000000000E65000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TW,; :en-USlng/mplng.dllTaskbarCreatedMinPathNotepad3...sdgfdhgfddgnhgsdfsdfggdhffdAutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Source: dZIZhRHDXv.exe Binary or memory string: Shell_TrayWnd
Source: dZIZhRHDXv.exe Binary or memory string: Guxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TW,; :en-USlng/mplng.dllTaskbarCreatedMinPathNotepad3...sdgfdhgfddgnhgsdfsdfggdhffdAutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E09B84 cpuid 0_2_00E09B84
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx, 0_2_00DFE070
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: EnumSystemLocalesW, 0_2_00E52DDB
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: EnumSystemLocalesW, 0_2_00E52D72
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: EnumSystemLocalesW, 0_2_00E52E76
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E52F01
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoW, 0_2_00E53154
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoW, 0_2_00E0710F
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00E5327D
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoW, 0_2_00E53383
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: LCIDToLocaleName,GetLocaleInfoEx, 0_2_00E07391
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E53459
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: EnumSystemLocalesW, 0_2_00E49502
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: EnumSystemLocalesW, 0_2_00E496A1
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: ResolveLocaleName,GetLocaleInfoEx, 0_2_00DFDD80
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW, 0_2_00DFBE60
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: GetLocaleInfoW, 0_2_00E49FE8
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00E4A027 GetSystemTimeAsFileTime, 0_2_00E4A027
Source: C:\Users\user\Desktop\dZIZhRHDXv.exe Code function: 0_2_00DFE360 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,GetSysColor,CreateSolidBrush,CreateSolidBrush,GetSysColor,CreateSolidBrush,StrStrIW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,#381,#381,#381,LoadCursorW,RegisterClassW,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateAcceleratorW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,OleUninitialize,SetThreadPreferredUILanguages,CreateSolidBrush,SetThreadUILanguage,lstrcmpW,CreateSolidBrush,CreateSolidBrush,InitMUILanguage, 0_2_00DFE360
AV process strings found (often used to terminate AV products)
Source: dialer.exe, 00000001.00000002.3000441616.0000000003510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000000.00000003.1791313957.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3000931439.00000000057C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1822087119.0000000005475000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1794640183.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1798820760.0000000003B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000000.00000003.1791313957.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3000931439.00000000057C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1822087119.0000000005475000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1794640183.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1798820760.0000000003B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\dialer.exe Code function: 1_2_057C9A57 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError, 1_2_057C9A57
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543219 Sample: dZIZhRHDXv.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 80 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected RHADAMANTHYS Stealer 2->23 25 2 other signatures 2->25 6 dZIZhRHDXv.exe 1 2 2->6         started        process3 signatures4 27 Switches to a custom stack to bypass stack traces 6->27 9 dialer.exe 6->9         started        13 WerFault.exe 2 6->13         started        15 WerFault.exe 2 6->15         started        process5 dnsIp6 17 138.201.226.224, 49730, 49732, 57285 HETZNER-ASDE Germany 9->17 29 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->29 31 Switches to a custom stack to bypass stack traces 9->31 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
138.201.226.224
 unknown Germany
24940 HETZNER-ASDE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://138.201.226.224:9292/bcacc1e7778c536b694/6wlh52ro.x0plp true
    		unknown