Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1563920
MD5: 3273f078f87cebc3b06e9202e3902b5c
SHA1: 03b1971e04c8e67a32f38446bd8bfac41825f9cc
SHA256: 4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c
Tags: NETAsyncRATexeMSILuser-jstrosch
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected RUNPE
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains very large strings
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://nkprotect.net Avira URL Cloud: Label: phishing
Source: http://nkprotect.net Avira URL Cloud: Label: phishing
Source: https://nkprotect.net/check.txt Avira URL Cloud: Label: phishing
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 82.197.80.96:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: file.exe, type: SAMPLE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /check.txt HTTP/1.1Host: nkprotect.netConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /check.txt HTTP/1.1Host: nkprotect.netConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: nkprotect.net
Source: file.exe String found in binary or memory: http://exmple.com
Source: file.exe String found in binary or memory: http://ip-api.com/csv/?fields=status
Source: file.exe String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: file.exe, 00000000.00000002.2161011605.000002274150D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nkprotect.net
Source: file.exe, 00000000.00000002.2161011605.00000227414EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe String found in binary or memory: https://api.telegram.org/bot
Source: file.exe String found in binary or memory: https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip
Source: file.exe String found in binary or memory: https://evilcoder.mysellix.io
Source: file.exe, 00000000.00000002.2161011605.00000227414EC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2161011605.0000022741502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nkprotect.net
Source: file.exe, 00000000.00000002.2161011605.0000022741461000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2161011605.00000227414EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nkprotect.net/check.txt
Source: file.exe String found in binary or memory: https://pastebin.com/raw/H3wFXmEi
Source: file.exe String found in binary or memory: https://t.me/XCoderGroup
Source: file.exe String found in binary or memory: https://www.google.com/maps/place/)icons8-letter-16.png
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 82.197.80.96:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: file.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
.NET source code contains very large strings
Source: file.exe, SplashScreen.cs Long String: Length: 913540
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF848E74966 0_2_00007FF848E74966
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF848E75712 0_2_00007FF848E75712
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ | FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe, 00000000.00000000.2101315489.000002273F209000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXWorm.exe, vs file.exe
Source: file.exe Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ | FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameXWorm.exe, vs file.exe
Yara signature match
Source: file.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: file.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, ToolsBox.cs Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, Builder.cs Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, SplashScreen.cs Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAIAAABnsVYUAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAKdAZJREFUeJzsneuS2zjPredGpiMn+X7uN31y5v7vbMtNmwYPC8IiQVt2swo1ldbIEokTwUcS+c/y+U7J4eODkuXjLcjh8/3n8WOV9d8/3l/XP6PEc8JplPz6OEl5XGn/8v4e5NrId9ivtamy8aG168EgscHx4OHzJJUeJZc9RgmXLYXVAyuhbbJ3tXZW7JjJz8/PoMAfb29RFH3S0tHHUqXRTNde4/vKbl4tbomR9bJRPl8LKZrq1N/MvmV8KfZFsto3mDgGTjCxxV49cQ0F+eclqDP59fHRIJXrfwIBfXx5+3OKjuPHr7+fIemdz2HzZ5qmYuLKMtj1COsnQGQWOrf87fUkbPtRjGRu+ZXJf76//fioy8v76yrh3zLKVvWef/735KhBCdFjKzHllZdIP0QyvD1nRxXKP76u8uPzz0kSJb+vktlI5tL1v+c0eDHB8vnOxgvdfjaHOOjqJC/vq8uddRL+r8yEhBR+niXnWwvpt3Q+AXUCe50wRsvfnjMSqX9Zqpkak9o6jncvr6+hsIkxe1YR9vP42/CTn+t/33i7Axtt9jd2ecNeOD9nEirtmIR/pHaR40WSsYEdoTkG50OkhzBMV0Y9p7hDcaHXkMtFmZnO7dePdW85VanbBbQHjcv3she0IzkfLK2c6arwUrWed2p/KT9FKbv+OyST5fU1NjILea98zsrPtR778qIQ/i9ptVAKspf0sR7+gKQczfXxHZZwhtqmp/5Bes7gQz6Ltwu+dZWToDHIq74NRddJUcfVkT7Xf/w4DTpvaJz99+31VKEdP3/+Pa6y/mP9MxysCsqZXv7P1j9wns7f91CMxfp9XfqOZtCn1LRWO29vIVldjxv4STLuXIqu6EuWOrziKoIGhHNkbT9uPErqxtRYJRNQ8jP0Kxy81UBG9QC8LylVN1Z87B/6BqTBZGueDECXhUvsV6VHlYufALTXhI2VWLXkQ9eWHfMCd2cAulRgOanYssv1vvHkTQBdVktPA6DLRKbZ1ymuoeCE61IAeQHoEFkyabTp/14AuuxXyLQsYLUPVDqARhOSCKBPqr4AaC2HDPYfVj/s9en2TABN6+ojTHuuk5YeE5AF2XBh/f9O7aza3QVAG/Xz0ADaHjJKfs4k5P8qDM3emUhyNbAjjOvB+ZByPMc4RfUz1P9gAA3tslXfTgB9n3q+yDwhKcVG7gRAB7+Nj6B0+rzsAEBf0UzTA+YJoH2FBdDx/ACg4/nfEEAreUxvZ1eXzc5ziQWSadb87aEB9DVFFxB5AugBBUeaHx8OQKPAjgczvgl7pF7fnrC8JFYt+dBFtnNvABpNwGCC3rpvvJQOoOUbmgmGfnAAnSW1CaCNADrL7yHjNQCUewHo7COPteW/P08iwzwL+aEAGo1NJYCuvJ5/Q/95FAB9lsQo+ZlSb48CoHv0DGO8x15kQTZaaP+8VzudACUNZMWLNjGiJYDOI31nALraTQVMKPk5EwVAZ7IJoB3t2xCP9TbX3pR3jFNUP0P93wNAK/4wGkCz+Qf197YA2hC5Xv5TzFj3CaCXGjs+4AcbdwTQ0vGyg4TfTgDtKpfXIPJXATYBdAasvxuAxl/kb7ezq8s4vqKksUAyzSZ/2yGAjr+9pugCIjeMd0rwVgP5+wJomSKtxahB7gWgw7/RohmVHqFAnUtwuAY8+uQWvcluuW+8ziaAlgw6VE4TQPsO8Ja29RRJXgBaKiGWAidayuu87OPh4xYAOuvXmmbvCKDjhHxJP/FeVbpcZtprLqqvD3ND/6EBX0c8mtozAXQTgI7zmVi8biw9hIQsyEYL7Z/3aqcToGzznyyiUWGz7A9Al1fQ60klP2fyrQD0UH9OBOl/GIAuT7b4wwTQ7i5BSfn5xXk8ElO5PQDo8i0cWbmVcl8AnWXUCaCrIYmC1C0nC5kAuq0x2cgVc4KlnV1dxvFVrt6pzAehPDiATurG1C5X/Yv4ov0KB281kL8dgEYFkFcwjAbQegsryLjI1LrjTgDtHPBOABo9UWDv++gAmh4AnOIaiqGdiSBwDGR3ABrYUZ84EX4CRPr/OdLfT8tAs4CPBdAwzxQL6QStxq+5w9vl9fxj8B/Wr2g/vBOArmhAXb8SwaMJoCeANl2fnICx12z2H3lBpb6qU+b35Hgys9oZgGarRx3MJRng/ST6OWdJ8zznGzfNhJW2RQ/xrcPZuMgW79o8X7m+/HfzC0Dw+k52YfMPas+jA2jUzrgngaRy65HYyJ0A6HJ1Sj2O7gWg7RlV90+U65BNvfLV3gC0V30r3VtHz7I2M1mq8P8R0c3m+QXM7xruW4abMZ939XdL5NtCL7Y9tFC8ENG6JwB9bXBKA8oxtCU/4+CtBjILoHtCoOrkmdwIQFcXTXYJhnsBaBjwKFQMieCW5U6sWvKhCzk0aOc+AXQ1BuqFJvbbrHLS7YI/9Z0A2tWfDe1MC8T7AOgsv7cvwXE/AJ0/qrnJJoSWfJjkn6P4SOULQL+8vua+avAf1q9oP5wA+qEAdFm8NtqLLMhGC+2f7PUH1DPJdZr8J15qEyxmoDkG9ZUjZ6/27A9AV7UHdYukrPSeGkBLGfEiCBsXvgC6Uuej+Orwzx5h8w/q73AAbfIi8zId5nb++/YqAXSEdLGR+wHQpRcpfnVHAB0UIj/ga/DPCaA34pc1Cg+gCWM9L4AOYh+53GozGz/8tgA6ae1lLH55+5OYW3TQK36rYXt4IABtcQiLPDqArm48uB6EmxCGrQUngGYD2yvgCwW2bUKIVlbh7/uEAFr7VA34tpvrGtqZFoj3AdBumxDeCUCXVz4DCBbI4utnetMBNNJzsqnAx8fL6+sE0HpUhiy0fPz5EqHYMB97cADdoyXZzrkJYRuw8Kpnyke/WbFu95/sspsAWrLmTD+HYnHDvQHoUmkba0E
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: NULL
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 68%
Source: file.exe String found in binary or memory: -help
Source: file.exe String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be spcifiedThere is no second file name for rename pair:Unsupported rename command:-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege
Source: file.exe String found in binary or memory: [ Play ]9StopToolStripMenuItem1.Image-StopToolStripMenuItem1
Source: file.exe String found in binary or memory: [ Extra 1 ]IReportWindowToolStripMenuItem1.Image=ReportWindowToolStripMenuItem1![ ReportWindow ]9StartToolStripMenuItem.Image-StartToolStripMenuItem7StopToolStripMenuItem.Image+StopToolStripMenuItemGPerformanceToolStripMenuItem1.Image;PerformanceToolStripMenuItem1
Source: file.exe String found in binary or memory: -Plugins\Ransomware.dll1Plugins\ReverseProxy.dll7Plugins\Ngrok-Installer.dll
Source: file.exe String found in binary or memory: cActiveWindows.dll,Chat.dll,Clipboard.dll,FileManager.dll,FilesSearcher.dll,HRDP.dll,HVNC.dll,Informations.dll,Keylogger.dll,Maps.dll,Microphone.dll,Ngrok-Installer.dll,Options.dll,Pastime.dll,Performance.dll,ProcessManager.dll,Programs.dll,Ransomware.dll,Chromium.dll,Recovery.dll,Stealer.dll,Regedit.dll,RemoteDesktop.dll,ReverseProxy.dll,RunPE.dll,Shell.dll,StartupManager.dll,TCPConnections.dll,UACBypass.dll,VB.NET Compiler.dll,WebCam.dll,WSound.dll,ServiceManager.dll,MessageBox.dll,HVNCMemory.dll,Cmstp-Bypass.dll,HiddenApps.dll,HBrowser.dll,VoiceChat.dll
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 15604224 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xebf200
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF848E700BD pushad ; iretd 0_2_00007FF848E700C1
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected RUNPE
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.2101315489.000002273F209000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe Binary or memory string: IF GETMODULEHANDLE("SBIEDLL.DLL").TOINT32() <> 0 THEN
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2273F680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 22759460000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 4712 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: file.exe Binary or memory string: If (manufacturer = "microsoft corporation" AndAlso item("Model").ToString().ToUpperInvariant().Contains("VIRTUAL")) OrElse manufacturer.Contains("vmware") OrElse item("Model").ToString() = "VirtualBox" Then
Source: file.exe, 00000000.00000002.2160556359.0000022741282000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR

Language, Device and Operating System Detection
barindex
Yara detected Telegram Recon
Source: Yara match File source: file.exe, type: SAMPLE
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2101315489.000002273F209000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.2101315489.000002273EEB7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2101315489.000002273F209000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563920 Sample: file.exe Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 12 shed.dual-low.s-part-0015.t-0009.t-msedge.net 2->12 14 s-part-0015.t-0009.t-msedge.net 2->14 16 nkprotect.net 2->16 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus detection for URL or domain 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 11 other signatures 2->26 6 file.exe 14 3 2->6         started        signatures3 process4 dnsIp5 18 nkprotect.net 82.197.80.96, 443, 49704 C4L-ASGB United Kingdom 6->18 10 C:\Users\user\AppData\Local\...\file.exe.log, CSV 6->10 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.197.80.96
 nkprotect.net United Kingdom
25577 C4L-ASGB false

Contacted Domains

Name IP Active
nkprotect.net 82.197.80.96 true
s-part-0015.t-0009.t-msedge.net 13.107.246.43 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://nkprotect.net/check.txt false
  • Avira URL Cloud: phishing
 unknown