Windows Analysis Report
51FZ8pgLbe.exe

Overview

General Information

Sample name: 51FZ8pgLbe.exe
renamed because original name is a hash value
Original sample name: 9C29717F4D12C30226F5F0FB1BD13FE5.exe
Analysis ID: 1580950
MD5: 9c29717f4d12c30226f5f0fb1bd13fe5
SHA1: b4a9c7a926d7bb950de71477186b4d78bca63fbb
SHA256: 272bf955c164d64065dde62da7d5ec609c504b67cbd776a79aa28c34117c3887
Tags: exeValleyRATuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 51FZ8pgLbe.exe Virustotal: Detection: 60% Perma Link
Source: 51FZ8pgLbe.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: 51FZ8pgLbe.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 51FZ8pgLbe.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0056A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_0056A6C3

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 116.198.232.205:8888
Source: Network traffic Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49772 -> 116.198.232.205:6666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 116.198.232.205:8888
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknown TCP traffic detected without corresponding DNS query: 116.198.232.205
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00533507 recv,SetLastError,WSASetLastError,GetLastError,WSAGetLastError, 0_2_00533507
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0055C213 __EH_prolog3_GS,GetParent,GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,SetCapture,RedrawWindow, 0_2_0055C213
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00598206 MessageBeep,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW, 0_2_00598206
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0056C51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW, 0_2_0056C51E
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005E0863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer, 0_2_005E0863
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0057688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen, 0_2_0057688A
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005749CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen, 0_2_005749CC
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B09E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_005B09E6
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00598DC6 GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW, 0_2_00598DC6
Detected potential crypto function
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0056207D 0_2_0056207D
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005CE67D 0_2_005CE67D
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00644E6C 0_2_00644E6C
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00636F6B 0_2_00636F6B
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_006398A3 0_2_006398A3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: String function: 00635E4B appears 208 times
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: String function: 006363B0 appears 33 times
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: String function: 00635EB4 appears 54 times
Sample file is different than original file name gathered from version info
Source: 51FZ8pgLbe.exe, 00000000.00000000.1676149608.0000000000823000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs 51FZ8pgLbe.exe
Source: 51FZ8pgLbe.exe Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs 51FZ8pgLbe.exe
Uses 32bit PE files
Source: 51FZ8pgLbe.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal60.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0054A66C CoInitialize,CoCreateInstance, 0_2_0054A66C
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0053A4D3 FindResourceW,LoadResource,LockResource,FreeResource, 0_2_0053A4D3
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Mutant created: \Sessions\1\BaseNamedObjects\MyUniqueMutexName
Source: 51FZ8pgLbe.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 51FZ8pgLbe.exe Virustotal: Detection: 60%
Source: 51FZ8pgLbe.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Section loaded: rasadhlp.dll Jump to behavior
Source: 51FZ8pgLbe.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 51FZ8pgLbe.exe Static file information: File size 3218944 > 1048576
Source: 51FZ8pgLbe.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
Source: 51FZ8pgLbe.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x173a00
Source: 51FZ8pgLbe.exe Static PE information: More than 200 imports for USER32.dll
Source: 51FZ8pgLbe.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 51FZ8pgLbe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 51FZ8pgLbe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 51FZ8pgLbe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 51FZ8pgLbe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 51FZ8pgLbe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005310BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree, 0_2_005310BE
PE file contains an invalid checksum
Source: 51FZ8pgLbe.exe Static PE information: real checksum: 0x314ee0 should be: 0x31a569
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_006363F5 push ecx; ret 0_2_00636408
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00635F23 push ecx; ret 0_2_00635F36
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00572018 IsIconic, 0_2_00572018
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B22CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW, 0_2_005B22CB
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0055CC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 0_2_0055CC9C
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0056CD1F IsWindowVisible,IsIconic, 0_2_0056CD1F
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B2E90 IsIconic,PostMessageW, 0_2_005B2E90
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B0FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible, 0_2_005B0FB1
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00535516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject, 0_2_00535516
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B1A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 0_2_005B1A40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B1A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 0_2_005B1A40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B1A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 0_2_005B1A40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005B1D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect, 0_2_005B1D40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00587DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos, 0_2_00587DE2
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00571F74 SetForegroundWindow,IsIconic, 0_2_00571F74
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0054B770 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0054B770
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Window / User API: threadDelayed 6838 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe API coverage: 4.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe TID: 6228 Thread sleep count: 6838 > 30 Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe TID: 6228 Thread sleep time: -68380s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Thread sleep count: Count: 6838 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0056A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_0056A6C3
Source: 51FZ8pgLbe.exe, 00000000.00000002.2914968247.0000000001140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<@|
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_006347AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006347AC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_005310BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree, 0_2_005310BE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_006347AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006347AC
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0063BBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0063BBA1
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW, 0_2_00537502
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00638F59 GetSystemTimeAsFileTime,__aulldiv, 0_2_00638F59
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_00642110 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00642110
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe Code function: 0_2_0054B770 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0054B770
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580950 Sample: 51FZ8pgLbe.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 60 10 Suricata IDS alerts for network traffic 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 AI detected suspicious sample 2->14 5 51FZ8pgLbe.exe 2->5         started        process3 dnsIp4 8 116.198.232.205, 49730, 49772, 49823 CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian China 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
116.198.232.205
 unknown China
137699 CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian true