Windows Analysis Report
e8pLA1OhWt.exe

Overview

General Information

Sample name:	e8pLA1OhWt.exe renamed because original name is a hash value
Original sample name:	fe99a90f23f1885f6cc6fc836e8fe33c806f39fefb6fce7668bbeb98a9fe6a77.exe
Analysis ID:	1571569
MD5:	e0057ae14461e3b8a78e37ec22be695a
SHA1:	b7c77f2dfbe3bb76aca8afc5948e5e598c79cbff
SHA256:	fe99a90f23f1885f6cc6fc836e8fe33c806f39fefb6fce7668bbeb98a9fe6a77
Tags:	213-21-220-222exeuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Desusertion Ports

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: e8pLA1OhWt.exe

Avira: detected

Found malware configuration

Source: e8pLA1OhWt.exe.7456.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "213.21.220.222:8080"}

Multi AV Scanner detection for submitted file

Source: e8pLA1OhWt.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Uses 32bit PE files

Source: e8pLA1OhWt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: e8pLA1OhWt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbX source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005140000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 213.21.220.222:8080

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49718 -> 213.21.220.222:8080

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 213.21.220.222 213.21.220.222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VERSIALV VERSIALV

Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222

Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: e8pLA1OhWt.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e8pLA1OhWt.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: e8pLA1OhWt.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: e8pLA1OhWt.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: e8pLA1OhWt.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/8)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1LR
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1Response
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2LR
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2Response
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3LR
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3Response
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip

System Summary

Malicious sample detected (through community Yara rule)

Source: e8pLA1OhWt.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: e8pLA1OhWt.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Detected potential crypto function

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F908FF	0_2_00F908FF
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F90910	0_2_00F90910
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F90B98	0_2_00F90B98
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F90B88	0_2_00F90B88

PE / OLE file has an invalid certificate

Source: e8pLA1OhWt.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: e8pLA1OhWt.exe, 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCumbered.exe" vs e8pLA1OhWt.exe
Source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e8pLA1OhWt.exe
Source: e8pLA1OhWt.exe	Binary or memory string: OriginalFilenameCumbered.exe" vs e8pLA1OhWt.exe

Uses 32bit PE files

Source: e8pLA1OhWt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: e8pLA1OhWt.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: e8pLA1OhWt.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs	Cryptographic APIs: 'CreateDecryptor'

Source: e8pLA1OhWt.exe, Strings.cs

Base64 encoded string: 'GF8lRCIMAVA4ZD08PjsvGwdCGlohJ1k0DDMbBQtGFB4uKy8LGikfBzVRFjMWOTZGPgYnKCokEh8TClxc'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Mutant created: NULL

Source: e8pLA1OhWt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e8pLA1OhWt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e8pLA1OhWt.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: mswsock.dll	Jump to behavior

Source: e8pLA1OhWt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e8pLA1OhWt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbX source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005140000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Binary contains a suspicious time stamp

Source: e8pLA1OhWt.exe

Static PE information: 0x9D4414AF [Mon Aug 11 00:24:15 2053 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F9E150 pushad ; iretd		0_2_00F9E2C9
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F9E2C2 pushad ; iretd		0_2_00F9E2C9

Source: e8pLA1OhWt.exe, xyUIyFi0ReaLSD6iBqL.cs	High entropy of concatenated method names: 'yITibaNQ4A', 'GJIiegegHL', 'lRDiHOnWZ5', 'aLXidl1CUE', 'BZCiQiWHuj', 'eEsiJ4Q8Kq', 'MaIiVilCXF', 'Fkfiq4To1G', 'uZCi57gDNw', 'DIRizus36X'
Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs	High entropy of concatenated method names: 'LdEiK6coYj', 'g38PJ8K3c0', 'DmSiBd5k16', 'BPHiRVDYZo', 'fVYirM23Nk', 'KkeiAq7iHt', 'mJ6xnWXOKt', 'bVNGIawupk', 'IkGG9HXQZt', 'B8yG3p9TPo'

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: e8pLA1OhWt.exe

Binary or memory string: \QEMU-GA.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: e8pLA1OhWt.exe	Binary or memory string: \qemu-ga.exe
Source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Users\user\Desktop\e8pLA1OhWt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e8pLA1OhWt.exe PID: 7456, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e8pLA1OhWt.exe PID: 7456, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.21.220.222	unknown	Latvia		8285	VERSIALV	true

Contacted Domains

Name	IP	Active
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
213.21.220.222:8080	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: e8pLA1OhWt.exe

Avira: detected

Found malware configuration

Source: e8pLA1OhWt.exe.7456.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "213.21.220.222:8080"}

Multi AV Scanner detection for submitted file

Source: e8pLA1OhWt.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Uses 32bit PE files

Source: e8pLA1OhWt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: e8pLA1OhWt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbX source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005140000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 213.21.220.222:8080

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49718 -> 213.21.220.222:8080

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 213.21.220.222 213.21.220.222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VERSIALV VERSIALV

Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222

Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: e8pLA1OhWt.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e8pLA1OhWt.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: e8pLA1OhWt.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e8pLA1OhWt.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: e8pLA1OhWt.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: e8pLA1OhWt.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/8)
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1LR
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1Response
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2LR
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2Response
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3LR
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3Response
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: e8pLA1OhWt.exe, 00000000.00000002.2605667538.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip

System Summary

Malicious sample detected (through community Yara rule)

Source: e8pLA1OhWt.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: e8pLA1OhWt.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Detected potential crypto function

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F908FF	0_2_00F908FF
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F90910	0_2_00F90910
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F90B98	0_2_00F90B98
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F90B88	0_2_00F90B88

PE / OLE file has an invalid certificate

Source: e8pLA1OhWt.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: e8pLA1OhWt.exe, 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCumbered.exe" vs e8pLA1OhWt.exe
Source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e8pLA1OhWt.exe
Source: e8pLA1OhWt.exe	Binary or memory string: OriginalFilenameCumbered.exe" vs e8pLA1OhWt.exe

Uses 32bit PE files

Source: e8pLA1OhWt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: e8pLA1OhWt.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: e8pLA1OhWt.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs	Cryptographic APIs: 'CreateDecryptor'

Source: e8pLA1OhWt.exe, Strings.cs

Base64 encoded string: 'GF8lRCIMAVA4ZD08PjsvGwdCGlohJ1k0DDMbBQtGFB4uKy8LGikfBzVRFjMWOTZGPgYnKCokEh8TClxc'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Mutant created: NULL

Source: e8pLA1OhWt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e8pLA1OhWt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e8pLA1OhWt.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Section loaded: mswsock.dll	Jump to behavior

Source: e8pLA1OhWt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e8pLA1OhWt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbX source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005132000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: e8pLA1OhWt.exe, 00000000.00000002.2607119734.0000000005140000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Binary contains a suspicious time stamp

Source: e8pLA1OhWt.exe

Static PE information: 0x9D4414AF [Mon Aug 11 00:24:15 2053 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F9E150 pushad ; iretd		0_2_00F9E2C9
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Code function: 0_2_00F9E2C2 pushad ; iretd		0_2_00F9E2C9

Source: e8pLA1OhWt.exe, xyUIyFi0ReaLSD6iBqL.cs	High entropy of concatenated method names: 'yITibaNQ4A', 'GJIiegegHL', 'lRDiHOnWZ5', 'aLXidl1CUE', 'BZCiQiWHuj', 'eEsiJ4Q8Kq', 'MaIiVilCXF', 'Fkfiq4To1G', 'uZCi57gDNw', 'DIRizus36X'
Source: e8pLA1OhWt.exe, o7sM5NGly1brP6N8Som.cs	High entropy of concatenated method names: 'LdEiK6coYj', 'g38PJ8K3c0', 'DmSiBd5k16', 'BPHiRVDYZo', 'fVYirM23Nk', 'KkeiAq7iHt', 'mJ6xnWXOKt', 'bVNGIawupk', 'IkGG9HXQZt', 'B8yG3p9TPo'

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: e8pLA1OhWt.exe

Binary or memory string: \QEMU-GA.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: e8pLA1OhWt.exe	Binary or memory string: \qemu-ga.exe
Source: e8pLA1OhWt.exe, 00000000.00000002.2605011113.0000000000D31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Users\user\Desktop\e8pLA1OhWt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8pLA1OhWt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\e8pLA1OhWt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e8pLA1OhWt.exe PID: 7456, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1368754173.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e8pLA1OhWt.exe PID: 7456, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: e8pLA1OhWt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.e8pLA1OhWt.exe.600000.0.unpack, type: UNPACKEDPE

ID:	1571569
Product:	CloudBasic
Start time:	15:08:46
Start date:	09.12.2024
Sample:	e8pLA1OhWt.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e0057ae14461e3b8a78e37ec22be695a
SHA1:	b7c77f2dfbe3bb76aca8afc5948e5e598c79cbff
SHA256:	fe99a90f23f1885f6cc6fc836e8fe33c806f39fefb6fce7668bbeb98a9fe6a77
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Windows Analysis Report
e8pLA1OhWt.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report e8pLA1OhWt.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
e8pLA1OhWt.exe

Malware Threat Intel
Provided by