Windows Analysis Report
38#Uc694.exe

Overview

General Information

Sample name: 38#Uc694.exe
renamed because original name is a hash value
Original sample name: (20200525)_ .exe
Analysis ID: 1597247
MD5: 54bef758433c98353b61bf1e2aecefb2
SHA1: 06feb43c6d58eab893396f63aa2e1d0e4542f7d1
SHA256: 291f381da3286ea93c38bb325e19f35744349c3543708135d8be731f4bafb6e2
Tags: exeuser-MrMalware
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: 38#Uc694.exe Avira: detected
Source: http://centos10.com/vcruntime140.dllG Avira URL Cloud: Label: malware
Source: http://centos10.com/8aq Avira URL Cloud: Label: malware
Source: http://centos10.com/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://centos10.com/3aJ Avira URL Cloud: Label: malware
Source: http://centos10.com/mozglue.dll Avira URL Cloud: Label: malware
Source: http://centos10.com/x Avira URL Cloud: Label: malware
Source: http://centos10.com/nss3.dllw5 Avira URL Cloud: Label: malware
Source: http://centos10.com/276Pb8 Avira URL Cloud: Label: malware
Source: http://centos10.com/yptography Avira URL Cloud: Label: malware
Source: http://centos10.com/t Avira URL Cloud: Label: malware
Source: http://centos10.com/k Avira URL Cloud: Label: malware
Source: http://centos10.com/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://centos10.com/yptographym4 Avira URL Cloud: Label: malware
Source: http://centos10.com/freebl3.dll Avira URL Cloud: Label: malware
Source: http://centos10.com/nss3.dll Avira URL Cloud: Label: malware
Source: http://centos10.com/ Avira URL Cloud: Label: malware
Source: http://centos10.com/P Avira URL Cloud: Label: malware
Source: http://centos10.com/freebl3.dll(5m Avira URL Cloud: Label: malware
Source: http://centos10.com/276 Avira URL Cloud: Label: malware
Source: http://centos10.com/G Avira URL Cloud: Label: malware
Source: http://centos10.com/L Avira URL Cloud: Label: malware
Source: http://centos10.com/softokn3.dll Avira URL Cloud: Label: malware
Source: http://centos10.com/T4 Avira URL Cloud: Label: malware
Source: 38#Uc694.exe Virustotal: Detection: 89% Perma Link
Source: 38#Uc694.exe ReversingLabs: Detection: 97%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: 38#Uc694.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040CB60 __EH_prolog3_GS,_memset,LocalAlloc,BCryptDecrypt, 0_2_0040CB60
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00409644 _memset,CryptStringToBinaryA,_memmove, 0_2_00409644
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040982F CryptStringToBinaryA,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_0040982F
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00409896 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 0_2_00409896
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00409901 BCryptCloseAlgorithmProvider,BCryptDestroyKey, 0_2_00409901
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00409934 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 0_2_00409934
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004099A1 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 0_2_004099A1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E9AE6 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_024E9AE6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E9BF1 _malloc,_malloc,CryptUnprotectData, 0_2_024E9BF1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E9894 _memset,CryptStringToBinaryA, 0_2_024E9894

Compliance

barindex
Source: C:\Users\user\Desktop\38#Uc694.exe Unpacked PE file: 0.2.38#Uc694.exe.400000.0.unpack
Source: 38#Uc694.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\38#Uc694.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00410073 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_00410073
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004105D9 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW, 0_2_004105D9
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00452A5D __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 0_2_00452A5D
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00404AA6 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 0_2_00404AA6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040ECE2 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_0040ECE2
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0041191E __wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_0041191E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004052DD __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset, 0_2_004052DD
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F02C3 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_024F02C3
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E552D __EH_prolog3,lstrcpyW,FindFirstFileW,lstrcpyW,lstrcpyW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset, 0_2_024E552D
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F1B15 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_024F1B15
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F0829 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW, 0_2_024F0829
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024EEF32 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_024EEF32
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E4CF6 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 0_2_024E4CF6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02532CAD __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 0_2_02532CAD
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004057CF _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 0_2_004057CF

Networking

barindex
Source: Network traffic Suricata IDS: 2034813 - Severity 1 - ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern : 192.168.2.8:49705 -> 208.95.112.1:80
Source: global traffic TCP traffic: 192.168.2.8:55849 -> 1.1.1.1:53
Source: global traffic HTTP traffic detected: POST /line/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: ip-api.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: unknown DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00408B46 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s, 0_2_00408B46
Source: global traffic DNS traffic detected: DNS query: centos10.com
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: unknown HTTP traffic detected: POST /line/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: ip-api.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/276
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/276Pb8
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/3aJ
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/8aq
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/G
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/L
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/P
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/T4
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/freebl3.dll
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/freebl3.dll(5m
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/k
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/mozglue.dll
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/msvcp140.dll
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/nss3.dll
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/nss3.dllw5
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/softokn3.dll
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/t
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/vcruntime140.dll
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/vcruntime140.dllG
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/x
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/yptography
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://centos10.com/yptographym4
Source: 38#Uc694.exe, 00000000.00000002.2699629072.0000000000B5D000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/lA
Source: 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://ip-api.com/line/
Source: 38#Uc694.exe, 00000000.00000002.2699491874.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/1

System Summary

barindex
Source: 0.2.38#Uc694.exe.24e0e50.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 0.2.38#Uc694.exe.24e0e50.1.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.3.38#Uc694.exe.2680000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 0.3.38#Uc694.exe.2680000.0.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.2.38#Uc694.exe.24e0e50.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 0.2.38#Uc694.exe.24e0e50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.2.38#Uc694.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 0.2.38#Uc694.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.3.38#Uc694.exe.2680000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 0.3.38#Uc694.exe.2680000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 0.2.38#Uc694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 0.2.38#Uc694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000000.00000002.2699629072.0000000000B5D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_9007feb2 Author: unknown
Source: 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00455F09 0_2_00455F09
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00426215 0_2_00426215
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004383B6 0_2_004383B6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046E5B7 0_2_0046E5B7
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004586E0 0_2_004586E0
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00468958 0_2_00468958
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00414BDE 0_2_00414BDE
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00468DED 0_2_00468DED
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046918B 0_2_0046918B
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0042919F 0_2_0042919F
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0043F208 0_2_0043F208
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004492E3 0_2_004492E3
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046F380 0_2_0046F380
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046D439 0_2_0046D439
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004554A7 0_2_004554A7
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046955D 0_2_0046955D
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00469945 0_2_00469945
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0044B92C 0_2_0044B92C
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046D98A 0_2_0046D98A
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046DEDB 0_2_0046DEDB
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00453F76 0_2_00453F76
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00449F21 0_2_00449F21
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00B618FE 0_2_00B618FE
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02536159 0_2_02536159
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0254E12B 0_2_0254E12B
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_025341C6 0_2_025341C6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02518606 0_2_02518606
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_025356F7 0_2_025356F7
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0254D689 0_2_0254D689
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0251F458 0_2_0251F458
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02506465 0_2_02506465
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0254F5D0 0_2_0254F5D0
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0252BB7C 0_2_0252BB7C
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0254DBDA 0_2_0254DBDA
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02548BA8 0_2_02548BA8
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02538930 0_2_02538930
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F4E2E 0_2_024F4E2E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 025381F0 appears 58 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 0045E9E0 appears 59 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 00421477 appears 67 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 004584F7 appears 40 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 004144F0 appears 37 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 00457FA0 appears 59 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 00458009 appears 31 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 0040143A appears 45 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 0253EC30 appears 55 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 00403279 appears 40 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 004212CD appears 40 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 02538259 appears 31 times
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: String function: 004214AA appears 103 times
Source: 38#Uc694.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.38#Uc694.exe.24e0e50.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 0.2.38#Uc694.exe.24e0e50.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.3.38#Uc694.exe.2680000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 0.3.38#Uc694.exe.2680000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.2.38#Uc694.exe.24e0e50.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 0.2.38#Uc694.exe.24e0e50.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.2.38#Uc694.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 0.2.38#Uc694.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.3.38#Uc694.exe.2680000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 0.3.38#Uc694.exe.2680000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 0.2.38#Uc694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 0.2.38#Uc694.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000000.00000002.2699629072.0000000000B5D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_9007feb2 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 8416b14346f833264e32c63253ea0b0fe28e5244302b2e1b266749c543980fe2, id = 9007feb2-6ad1-47b6-bae2-3379d114e4f1, last_modified = 2021-08-23
Source: 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@1/1025@27/1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00421667 GetLastError,FormatMessageW,FormatMessageA,LocalFree,_free, 0_2_00421667
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004217F0 GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 0_2_004217F0
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00450277 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00450277
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00408B46 __EH_prolog3,InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s, 0_2_00408B46
Source: C:\Users\user\Desktop\38#Uc694.exe Mutant created: \Sessions\1\BaseNamedObjects\9e146be9-c76a-4720-bcdb-53011b87bd06{a33c7340-61ca-11ee-8c18-806e6f6e6963}
Source: 38#Uc694.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\38#Uc694.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 38#Uc694.exe, 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 38#Uc694.exe, 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 38#Uc694.exe, 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 38#Uc694.exe, 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 38#Uc694.exe, 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 38#Uc694.exe, 00000000.00000003.1455001298.00000000027C1000.00000004.00000020.00020000.00000000.sdmp, ld.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 38#Uc694.exe, 38#Uc694.exe, 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 38#Uc694.exe Virustotal: Detection: 89%
Source: 38#Uc694.exe ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\38#Uc694.exe Unpacked PE file: 0.2.38#Uc694.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;
Source: C:\Users\user\Desktop\38#Uc694.exe Unpacked PE file: 0.2.38#Uc694.exe.400000.0.unpack
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040C025 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,FreeLibrary, 0_2_0040C025
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00458078 push ecx; ret 0_2_0045808B
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0045EA25 push ecx; ret 0_2_0045EA38
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00B5D8CC pushad ; retf 0_2_00B5D8D5
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00B613F5 push ecx; ret 0_2_00B6144A
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00B60D2A pushad ; retf 0_2_00B60D2E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00B61E28 push esi; ret 0_2_00B61E31
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02504210 push dword ptr [edi+ebx-75h]; ret 0_2_0250421C
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_025382C8 push ecx; ret 0_2_025382DB
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F86DC push ds; ret 0_2_024F86EA
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E0EFC push ecx; retf 0_2_024E0EFD
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0253EC75 push ecx; ret 0_2_0253EC88
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040A618 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,__wgetenv,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0040A618
Source: C:\Users\user\Desktop\38#Uc694.exe Window / User API: threadDelayed 3097 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Window / User API: threadDelayed 2075 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\38#Uc694.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\38#Uc694.exe TID: 6736 Thread sleep count: 3097 > 30 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe TID: 6736 Thread sleep time: -266342000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe TID: 6736 Thread sleep count: 2075 > 30 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe TID: 6736 Thread sleep time: -178450000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00450117 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00450242h 0_2_00450117
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004158C1 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 0041590Fh 0_2_004158C1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F5B11 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 024F5B5Fh 0_2_024F5B11
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00410073 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_00410073
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004105D9 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW, 0_2_004105D9
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00452A5D __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 0_2_00452A5D
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00404AA6 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 0_2_00404AA6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040ECE2 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_0040ECE2
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0041191E __wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_0041191E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004052DD __EH_prolog3,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset, 0_2_004052DD
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F02C3 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_024F02C3
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E552D __EH_prolog3,lstrcpyW,FindFirstFileW,lstrcpyW,lstrcpyW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset, 0_2_024E552D
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F1B15 __EH_prolog3_catch_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_024F1B15
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024F0829 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,FindNextFileW, 0_2_024F0829
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024EEF32 __EH_prolog3_GS,__wgetenv,FindFirstFileW,GetFileAttributesW,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,_fprintf,FindNextFileW,FindClose, 0_2_024EEF32
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E4CF6 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose, 0_2_024E4CF6
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_02532CAD __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 0_2_02532CAD
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004057CF _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 0_2_004057CF
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004268F5 GetSystemInfo, 0_2_004268F5
Source: C:\Users\user\Desktop\38#Uc694.exe Thread delayed: delay time: 86000 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Thread delayed: delay time: 86000 Jump to behavior
Source: 38#Uc694.exe, 00000000.00000002.2699693203.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699693203.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp, 38#Uc694.exe, 00000000.00000002.2699693203.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\38#Uc694.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\38#Uc694.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\38#Uc694.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\38#Uc694.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0045EBDE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0045EBDE
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0040C025 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,FreeLibrary, 0_2_0040C025
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00B5DED3 push dword ptr fs:[00000030h] 0_2_00B5DED3
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E092B mov eax, dword ptr fs:[00000030h] 0_2_024E092B
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_024E0D90 mov eax, dword ptr fs:[00000030h] 0_2_024E0D90
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0046D0C5 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_0046D0C5
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_004663A1 SetUnhandledExceptionFilter, 0_2_004663A1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0045EBDE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0045EBDE
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00457F91 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00457F91
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_025381E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_025381E1
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0253EE2E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0253EE2E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __EH_prolog3,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memset,LocalFree, 0_2_00450117
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0046823C
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_00468331
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_004683D8
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_00468433
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_00468604
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_004686C4
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_00468767
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0046872B
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 0_2_00466B63
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00466E0E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 0_2_0046CE27
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_0046CF01
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: GetLocaleInfoA, 0_2_004592EF
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_00467A6A
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 0_2_0045BCDD
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_00467D58
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __EH_prolog3,LocalAlloc,GetLocaleInfoA,_memset,LocalFree, 0_2_02530367
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_0254705E
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_0254D151
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_02548628
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0254848C
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_02548581
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_02548854
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0254897B
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_02548914
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itow_s, 0_2_025489B7
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 0_2_0253BF2D
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, 0_2_02547CBA
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,GetLocaleInfoW, 0_2_02546DB3
Source: C:\Users\user\Desktop\38#Uc694.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Queries volume information: C:\ProgramData\5PWAF8402SQ6DTK7WLB5FVXGK\files\information.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Queries volume information: C:\ProgramData\5PWAF8402SQ6DTK7WLB5FVXGK\files\passwords.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00450060 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 0_2_00450060
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_0044FB72 GetUserNameA, 0_2_0044FB72
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00450060 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 0_2_00450060
Source: C:\Users\user\Desktop\38#Uc694.exe Code function: 0_2_00414FB2 GetVersionExA, 0_2_00414FB2
Source: C:\Users\user\Desktop\38#Uc694.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.38#Uc694.exe.24e0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.38#Uc694.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.38#Uc694.exe.24e0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.38#Uc694.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.38#Uc694.exe.2680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.38#Uc694.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 38#Uc694.exe PID: 7008, type: MEMORYSTR
Source: 38#Uc694.exe String found in binary or memory: \Electrum\wallets\
Source: 38#Uc694.exe String found in binary or memory: \ElectronCash\wallets\
Source: 38#Uc694.exe String found in binary or memory: \Electrum\wallets\
Source: 38#Uc694.exe String found in binary or memory: \jaxx\Local Storage\
Source: 38#Uc694.exe String found in binary or memory: window-state.json
Source: 38#Uc694.exe String found in binary or memory: exodus.conf.json
Source: 38#Uc694.exe String found in binary or memory: info.seco
Source: 38#Uc694.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: 38#Uc694.exe String found in binary or memory: ElectrumLTC
Source: 38#Uc694.exe String found in binary or memory: \jaxx\Local Storage\
Source: 38#Uc694.exe String found in binary or memory: passphrase.json
Source: 38#Uc694.exe String found in binary or memory: \Ethereum\
Source: 38#Uc694.exe String found in binary or memory: Exodus
Source: 38#Uc694.exe String found in binary or memory: Ethereum
Source: 38#Uc694.exe String found in binary or memory: default_wallet
Source: 38#Uc694.exe String found in binary or memory: file__0.localstorage
Source: 38#Uc694.exe String found in binary or memory: \MultiDoge\
Source: 38#Uc694.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: 38#Uc694.exe String found in binary or memory: seed.seco
Source: 38#Uc694.exe String found in binary or memory: keystore
Source: 38#Uc694.exe String found in binary or memory: \Electrum-LTC\wallets\
Source: C:\Users\user\Desktop\38#Uc694.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\38#Uc694.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: Yara match File source: Process Memory Space: 38#Uc694.exe PID: 7008, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.38#Uc694.exe.24e0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.38#Uc694.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.38#Uc694.exe.24e0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.38#Uc694.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.38#Uc694.exe.2680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.38#Uc694.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1441590493.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2699979155.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2699058464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 38#Uc694.exe PID: 7008, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs